Andreas Bulling via FreeIPA-users wrote:
You have a chicken and egg problem. When replacing your certs on an
existing infrastructure you first have to add your new CA certs using
ipa-cacert-manage, then run ipa-certupdate on all enrolled machines,
including masters, then you can run ipa-servercert-install to replace them.
This seems to be the routine described on the freeipa page - which I followed except for
running ipa-certupdate on all enrolled machines prior to ipa-servercert-install. The
documentation doesn't mention this, should probably be fixed before more people end up
in this situation.
Is there any way for me to fix this? client uninstall and reinstall?