When you run "ipa-ca-install" without the replica file, you get the following misleading information:
CA is already installed.
When I run the same tool with the replica file, it works ok. In the man page we say though that the replica file is optional:
""" SYNOPSIS ipa-ca-install [OPTION]... [replica_file]
Alternatively, you can run ipa-ca-install without replica_file to upgrade from CA-less to CA-full. """
We should either fix the man page to make the replica file a requirement or change the ipa-ca-install to to setup a new CA with new key material which then doesn't require a replica file.
what version of IPA?
4.2 (RHEL-7.2 release)
The behavior probably changed since 4.2.
Also ipa-ca-install man page doesn't contain any mention of domain levels, would fix in 4.4/4.3.2
4.3.2 was released, moving to 4.3.3
Metadata Update from @tscherf: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.3.3
4.3.x EOL
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.4.5 (was: FreeIPA 4.3.3)
Metadata Update from @frenaud: - Issue assigned to frenaud (was: someone)
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/678 (was: 0)
master:
ipa-4-4:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.