Hey Rob,

I have an update that'll close out this thread.

We discovered that the code in the pki-ca was looking for a CN of the IPA RA's 
serial number in ou=certificateRepository,ou=ca,o=ipaca. This didn't exist and 
we realized it might be part of the problem.  It turns out that it was which 
helps explain the NPE we saw in the original error.

We ultimately had to create a local ldif for the current IPA RA certificate in 
production, add the new cn entry to "ou=certificateRepository,ou=ca,o=ipaca", 
and attempt a resubmit operation.  We had a little trouble deciphering some of 
the metaInfo, specifically the "requestId" as ou=ca,ou=requests,o=ipaca was 
also missing a request entry for our IPA RA certificate. After testing in 
staging, we felt comfortable pushing to production pointing at the previous 
certificates ou=ca,ou=requests,o=ipaca entry.  The resubmit worked late last 

Thanks for your help.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to