Andrea Bontempi wrote:
Here the log /var/log/pki/pki-tomcat/ca/debug
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri =
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08
13:40:43 CET 2013 id=caProfileSubmit time=100
Log /var/log/pki/pki-tomcat/ca/system:
1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit:
Object certificate not found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
Ok, I'm not sure if the caServerCert error is a red herring or not. Does
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca
pass?
I wonder if the certificate you're passing is valid. Can openssl x509
-text -in /path/to/ca.crt show the cert ok?
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users