On 29-05-2021 10:21, Alexander Bokovoy wrote:
But I did use "ipa-csreplica-manage del" as well. However, I remember that it
complained it couldn't remove that host. I was assuming it was already gone.
When I list with ipa-csreplica-manage then I don't see the old hosts anymore.
Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage del` just prints a
deprecated message and doesn't seem to do anything.
So, two things
1) "ipa-csreplica-manage del" somehow failed (it's probably too late to
look
at logs)
2) how can I still remove the old hosts?
I have/had the same problem. I used
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to
help me auth into the CA to remove the dead host.
pki client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password [redact]
pki -n ipa-ca-agent securitydomain-host-find
# you need the full Host ID section to remove
pki -n ipa-ca-agent securitydomain-host-del "CA
freeipa2[redact].net 443"
Keep in mind I'm fairly new to IPA, so maybe you don't want to do this on a
production system without someone else more experienced chiming in. But, so far, the
health check stopped complaining, replication is fine, and all my users can still log in.