URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

rcritten commented:
As far as I can tell it is always recoverable using this. I wasn't able to 
force a failure of replication, that could be a potential show-stopper. The PR 
doesn't touch the replication agreements at all except to allow them to already 
be there, so if things were in some sort of halfway state I couldn't say for 
sure what would happen.

The code is there for examination to determine what steps are done, but in 

- call the existing CA uninstaller which mostly just calls pki-destroy (it also 
does some state cleanup, removes the CRLs and untracks the CA certs via 
- A side-effect of the uninstaller is to shutdown certmonger. I start that back 
- The service is removed from cn=masters
- The cached services list is removed so ipactl won't fail starting a 
non-existent tomcat instance

To be idempotent would require changes in dogtag, it is that which blows up on 
a re-install attempt.

I would not be in favor of automatically uninstalling dogtag on another 
ipa-ca-install call.

ipa-ca-install would/should never be run on the original master. It already 
prints a big fat warning. I'd be ok making it fatter and requiring (no joke) 
multiple "Are you sure" prompts.

There is no CA install for CAless so not a case I'm interested in.

If you want to rename options I'm ok with that as well, maybe --try-again or 
something of that nature (in which case I WOULD be in favor of doing the 
uninstall automatically).

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to