On Sun, Jun 11, 2017 at 12:46:31AM -0000, jochem--- via FreeIPA-users wrote:
> Hello all,
> 
> I finally got something working, and found something of a cause.
> 
> I replaced 
> policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$,
>  $SUBJECT_DN_O
> with
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
>  o=FAKEDOMAIN.LOCAL
> 
> imported the new profile, the error was gone and the certificate issued.
> 
> Some further investigation showed me it wasn't just right yet. I examed the 
> certificate and found this (removed the other parts of the certificate:
> 
>             Authority Information Access: 
>                 OCSP - URI:http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
> 
>                 Full Name:
>                   URI:http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
> 
> So somehow the variables are not being processed. For now i just put the 
> domain name in the profile and it is working.
> 
> Does anyone have any idea why this is (not) happening? And how to fix it? For 
> now it is working but i would like the original profile working again.
> 
> Best regards,
> 
> Jochem Kuijpers
>
You are very close to hitting on the solution.

It looks like you have taken the profile configuration directly from
/usr/share/ipa/profiles/.  These are not ready-to-go profiles;
rather they are profile TEMPLATES containing variable substitutions
for FreeIPA to perform, before the profile gets loaded into Dogtag.

The '$$' is for a literal '$', and the '$IPA_CA_RECORD', '$DOMAIN',
'$SUBJECT_DN_O' and so on, are the variable substitutions that IPA
performs.  So from here, you should perform those substitutions
yourself, including the '$$' -> '$'.

When you modify a profile it is recommended to use `ipa
certprofile-show --out FILENAME` to export the current profile
configuration from Dogtag, then edit that and update the profile via
`ipa certprofile-mod`.

HTH,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to