On Thu, Dec 10, 2015 at 12:58:05PM +1000, Fraser Tweedale wrote:
> On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummel...@kpn.com wrote:
> > > Hello,
> > > 
> > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > > 
> > > I've exported the default caIPAServiceCert profile and did the following 
> > > modification:
> > > < profileId=caIPAserviceCert
> > > ---
> > > > profileId=KPNWebhostingAEM
> > > 87c87
> > > < 
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  O=IPADOMAIN
> > > ---
> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > > >  OU=TESTAEM, O=IPADOMAIN
> > > 
> > > Profile
> > >   Profile ID: KPNWebhostingAEM
> > >   Profile description: KPN Webhosting AEM
> > >   Store issued certificates: TRUE
> > > 
> > > CAACL
> > >   ACL name: ING Intermediairs AEM Application Servers
> > >   Enabled: TRUE
> > >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > > 
> > > Trying to request a certificate for a server
> > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > > 
> > > Results in:
> > > ipa-getcert list
> > > Number of certificates and requests being tracked: 1.
> > > Request ID 'mongo2':
> > >         status: CA_UNREACHABLE
> > >         ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > > cannot be completed: FAILURE (Policy Set Not Found)).
> > >         stuck: no
> > >         key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > >         certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > >         CA: IPA
> > >         issuer:
> > >         subject:
> > >         expires: unknown
> > >         pre-save command:
> > >         post-save command:
> > >         track: yes
> > >         auto-renew: yes
> > > 
> > > Since the same setup was working to request certificates on my lab 
> > > environment I'm at a loss what is causing the error.
> > > 
> > > Met vriendelijke groet,
> > > 
> > Hi Wouter,
> > 
> > I'm looking into this; stay tuned.
> > 
> OK, I could not reproduce.  Is the issue reproducible for you?  Did
> you execute the commands by hand or as part of a script?  Can you
> provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
>
Oh, and did you make any changes to the profile configuration
besides those you mentioned; the profileId and Subject Name pattern?

> 
> Cheers,
> Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to