Andrea Bontempi wrote:
Here the log /var/log/pki/pki-tomcat/ca/debug[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='xmlOutput' value='true' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='profileId' value='caServerCert' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request' value='MIICazCCAVMCAQ...[omissis]' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start to service. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal false [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data provided in processing request: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 13:40:43 CET 2013 id=caProfileSubmit time=100 Log /var/log/pki/pki-tomcat/ca/system: 1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
Ok, I'm not sure if the caServerCert error is a red herring or not. Does /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca pass?
I wonder if the certificate you're passing is valid. Can openssl x509 -text -in /path/to/ca.crt show the cert ok?
rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
