On Sun, Jun 11, 2017 at 12:46:31AM -0000, jochem--- via FreeIPA-users wrote:
> Hello all,
> I finally got something working, and found something of a cause.
> I replaced
> imported the new profile, the error was gone and the certificate issued.
> Some further investigation showed me it wasn't just right yet. I examed the
> certificate and found this (removed the other parts of the certificate:
> Authority Information Access:
> OCSP - URI:http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
> Full Name:
> So somehow the variables are not being processed. For now i just put the
> domain name in the profile and it is working.
> Does anyone have any idea why this is (not) happening? And how to fix it? For
> now it is working but i would like the original profile working again.
> Best regards,
> Jochem Kuijpers
You are very close to hitting on the solution.
It looks like you have taken the profile configuration directly from
/usr/share/ipa/profiles/. These are not ready-to-go profiles;
rather they are profile TEMPLATES containing variable substitutions
for FreeIPA to perform, before the profile gets loaded into Dogtag.
The '$$' is for a literal '$', and the '$IPA_CA_RECORD', '$DOMAIN',
'$SUBJECT_DN_O' and so on, are the variable substitutions that IPA
performs. So from here, you should perform those substitutions
yourself, including the '$$' -> '$'.
When you modify a profile it is recommended to use `ipa
certprofile-show --out FILENAME` to export the current profile
configuration from Dogtag, then edit that and update the profile via
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org