On Thu, Dec 10, 2015 at 12:58:05PM +1000, Fraser Tweedale wrote: > On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote: > > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummel...@kpn.com wrote: > > > Hello, > > > > > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL. > > > > > > I've exported the default caIPAServiceCert profile and did the following > > > modification: > > > < profileId=caIPAserviceCert > > > --- > > > > profileId=KPNWebhostingAEM > > > 87c87 > > > < > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > O=IPADOMAIN > > > --- > > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > > OU=TESTAEM, O=IPADOMAIN > > > > > > Profile > > > Profile ID: KPNWebhostingAEM > > > Profile description: KPN Webhosting AEM > > > Store issued certificates: TRUE > > > > > > CAACL > > > ACL name: ING Intermediairs AEM Application Servers > > > Enabled: TRUE > > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM > > > Host Groups: xxx_accp_applications, xxx_prod_applications > > > > > > Trying to request a certificate for a server > > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k > > > /etc/pki/tls/certs/host.key -TKPNWebhostingAEM > > > > > > Results in: > > > ipa-getcert list > > > Number of certificates and requests being tracked: 1. > > > Request ID 'mongo2': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed > > > request, will retry: 4301 (RPC failed at server. Certificate operation > > > cannot be completed: FAILURE (Policy Set Not Found)). > > > stuck: no > > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key' > > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt' > > > CA: IPA > > > issuer: > > > subject: > > > expires: unknown > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > Since the same setup was working to request certificates on my lab > > > environment I'm at a loss what is causing the error. > > > > > > Met vriendelijke groet, > > > > > Hi Wouter, > > > > I'm looking into this; stay tuned. > > > OK, I could not reproduce. Is the issue reproducible for you? Did > you execute the commands by hand or as part of a script? Can you > provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)? > Oh, and did you make any changes to the profile configuration besides those you mentioned; the profileId and Subject Name pattern?
> > Cheers, > Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project