[Freeipa-users] When a cert-profile doesn't exist and can't see it but IPA thinks it does - how to correct?

We found that we have a cert profile that was deleted in the ui and then we attempted to re-create it, but it will not. ipa: ERROR: Request failed with status 409: Non-2xx response from CA REST API: 409. Unable to create profile: Profile already exists The profile does not show in the UI or via the CLI $ ipa certprofile-find controlServersKubeAPIClustertest1 <blank> $ ipa certprofile-show controlServersKubeAPIClustertest1 <blank> But when checking ldap itself we can see it. $ ldapsearch -LLL -o ldif-wrap=no -w $pass -D 'cn=Directory Manager' -b 'o=ipaca' | grep controlServersKubeAPIClustertest1 dn: cn=controlServersKubeAPIClustertest1,ou=certificateProfiles,ou=ca,o=ipaca cn: controlServersKubeAPIClustertest1 extdata-profileid: controlServersKubeAPIClustertest1 metaInfo: profileId:controlServersKubeAPIClustertest1 extdata-profileid: controlServersKubeAPIClustertest1 metaInfo: profileId:controlServersKubeAPIClustertest1 extdata-profileid: controlServersKubeAPIClustertest1 metaInfo: profileId:controlServersKubeAPIClustertest1 extdata-profileid: controlServersKubeAPIClustertest1 metaInfo: profileId:controlServersKubeAPIClustertest1 extdata-profileid: controlServersKubeAPIClustertest1 metaInfo: profileId:controlServersKubeAPIClustertest1 Apart from doing an ldapdelete on that dn: , is there a better way to clean up that "ghost" cert profile? (and the corresponding certs?) thanks, Nick