Title: #764: Basic uninstaller for the CA
As far as I can tell it is always recoverable using this. I wasn't able to
force a failure of replication, that could be a potential show-stopper. The PR
doesn't touch the replication agreements at all except to allow them to already
be there, so if things were in some sort of halfway state I couldn't say for
sure what would happen.
The code is there for examination to determine what steps are done, but in
- call the existing CA uninstaller which mostly just calls pki-destroy (it also
does some state cleanup, removes the CRLs and untracks the CA certs via
- A side-effect of the uninstaller is to shutdown certmonger. I start that back
- The service is removed from cn=masters
- The cached services list is removed so ipactl won't fail starting a
non-existent tomcat instance
To be idempotent would require changes in dogtag, it is that which blows up on
a re-install attempt.
I would not be in favor of automatically uninstalling dogtag on another
ipa-ca-install would/should never be run on the original master. It already
prints a big fat warning. I'd be ok making it fatter and requiring (no joke)
multiple "Are you sure" prompts.
There is no CA install for CAless so not a case I'm interested in.
If you want to rename options I'm ok with that as well, maybe --try-again or
something of that nature (in which case I WOULD be in favor of doing the
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code