Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Fri, 08 Nov 2013 07:11:47 -0800 

Andrea Bontempi wrote:

Here the log /var/log/pki/pki-tomcat/ca/debug

[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = 
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start 
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal 
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data 
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 
13:40:43 CET 2013 id=caProfileSubmit time=100

Log /var/log/pki/pki-tomcat/ca/system:

1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: 
Object certificate not found. Error 
org.mozilla.jss.crypto.ObjectNotFoundException
Ok, I'm not sure if the caServerCert error is a red herring or not. Does /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca pass?
I wonder if the certificate you're passing is valid. Can openssl x509 -text -in /path/to/ca.crt show the cert ok? 

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to