The dogtag PKI server maintains its own list of servers by type (CA, KRA, etc.) in what it calls its security domain.
Prior to IPA 4.9.7 this security domain was not cleaned up when an IPA server was removed. This left “ghost” servers that PKI thought still existed.
We can use the CA REST API to send a DELETE to:
https://ipa.example.test:443/ca/rest/securityDomain/hosts/CA%20replica.example.test%20443
This would delete the CA replica.example.test on port 443. The format is similar for KRA servers (IPA only supports CA and KRA and not the other service types that the full dogtag PKI supports).
From the CLI this looks like:
# pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
ipa.example.test 443'This uses the subsystem cert for simplicity because otherwise we’d have to import the IPA RA agent certificate into the pki CLI NSS database and while not difficult, it involves converting PEM files to a PKCS#12 file and importing that. Using the subsystem cert is just easier in this case.
This work is reflected in upstream IPA ticket https://pagure.io/freeipa/issue/8930 .
Frustrations 