On Sun, Jun 11, 2017 at 12:46:31AM -0000, jochem--- via FreeIPA-users wrote: > Hello all, > > I finally got something working, and found something of a cause. > > I replaced > policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, > $SUBJECT_DN_O > with > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > o=FAKEDOMAIN.LOCAL > > imported the new profile, the error was gone and the certificate issued. > > Some further investigation showed me it wasn't just right yet. I examed the > certificate and found this (removed the other parts of the certificate: > > Authority Information Access: > OCSP - URI:http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp > > Full Name: > URI:http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin > > So somehow the variables are not being processed. For now i just put the > domain name in the profile and it is working. > > Does anyone have any idea why this is (not) happening? And how to fix it? For > now it is working but i would like the original profile working again. > > Best regards, > > Jochem Kuijpers > You are very close to hitting on the solution.
It looks like you have taken the profile configuration directly from /usr/share/ipa/profiles/. These are not ready-to-go profiles; rather they are profile TEMPLATES containing variable substitutions for FreeIPA to perform, before the profile gets loaded into Dogtag. The '$$' is for a literal '$', and the '$IPA_CA_RECORD', '$DOMAIN', '$SUBJECT_DN_O' and so on, are the variable substitutions that IPA performs. So from here, you should perform those substitutions yourself, including the '$$' -> '$'. When you modify a profile it is recommended to use `ipa certprofile-show --out FILENAME` to export the current profile configuration from Dogtag, then edit that and update the profile via `ipa certprofile-mod`. HTH, Fraser _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org