I'll send the log as soon as I get a chance. After the mail I also tried fetching a cert on another server cent7.1 that never had a cert issued. This resulted in a cert conformant With caIpaServiceCert
Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Fraser Tweedale <[email protected]> Datum: 2015-12-10 03:58 (GMT+01:00) Aan: "Hummelink, Wouter" <[email protected]> Cc: [email protected] Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote: > On Wed, Dec 09, 2015 at 10:46:06AM +0000, [email protected] wrote: > > Hello, > > > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL. > > > > I've exported the default caIPAServiceCert profile and did the following > > modification: > > < profileId=caIPAserviceCert > > --- > > > profileId=KPNWebhostingAEM > > 87c87 > > < > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > O=IPADOMAIN > > --- > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > OU=TESTAEM, O=IPADOMAIN > > > > Profile > > Profile ID: KPNWebhostingAEM > > Profile description: KPN Webhosting AEM > > Store issued certificates: TRUE > > > > CAACL > > ACL name: ING Intermediairs AEM Application Servers > > Enabled: TRUE > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM > > Host Groups: xxx_accp_applications, xxx_prod_applications > > > > Trying to request a certificate for a server > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k > > /etc/pki/tls/certs/host.key -TKPNWebhostingAEM > > > > Results in: > > ipa-getcert list > > Number of certificates and requests being tracked: 1. > > Request ID 'mongo2': > > status: CA_UNREACHABLE > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed > > request, will retry: 4301 (RPC failed at server. Certificate operation > > cannot be completed: FAILURE (Policy Set Not Found)). > > stuck: no > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key' > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt' > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > Since the same setup was working to request certificates on my lab > > environment I'm at a loss what is causing the error. > > > > Met vriendelijke groet, > > > Hi Wouter, > > I'm looking into this; stay tuned. > OK, I could not reproduce. Is the issue reproducible for you? Did you execute the commands by hand or as part of a script? Can you provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)? Cheers, Fraser
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
