On Thu, Dec 10, 2015 at 07:04:33AM +0000, wouter.hummel...@kpn.com wrote:
> I'll send the log as soon as I get a chance. After the mail I also tried 
> fetching a cert on another server cent7.1 that never had a cert issued. This 
> resulted in a cert conformant
> With caIpaServiceCert
> 
That is expected behaviour - only RHEL 7.2 version of Certmonger
propagates the requested profile (`-T' option) to the IPA CA.

> 
> Verzonden vanaf mijn Samsung-apparaat
> 
> 
> -------- Oorspronkelijk bericht --------
> Van: Fraser Tweedale <ftwee...@redhat.com>
> Datum: 2015-12-10 03:58 (GMT+01:00)
> Aan: "Hummelink, Wouter" <wouter.hummel...@kpn.com>
> Cc: freeipa-users@redhat.com
> Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found
> 
> On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummel...@kpn.com wrote:
> > > Hello,
> > >
> > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > >
> > > I've exported the default caIPAServiceCert profile and did the following 
> > > modification:
> > > < profileId=caIPAserviceCert
> > > ---
> > > > profileId=KPNWebhostingAEM
> > > 87c87
> > > < 
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  O=IPADOMAIN
> > > ---
> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > > >  OU=TESTAEM, O=IPADOMAIN
> > >
> > > Profile
> > >   Profile ID: KPNWebhostingAEM
> > >   Profile description: KPN Webhosting AEM
> > >   Store issued certificates: TRUE
> > >
> > > CAACL
> > >   ACL name: ING Intermediairs AEM Application Servers
> > >   Enabled: TRUE
> > >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > >
> > > Trying to request a certificate for a server
> > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > >
> > > Results in:
> > > ipa-getcert list
> > > Number of certificates and requests being tracked: 1.
> > > Request ID 'mongo2':
> > >         status: CA_UNREACHABLE
> > >         ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > > cannot be completed: FAILURE (Policy Set Not Found)).
> > >         stuck: no
> > >         key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > >         certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > >         CA: IPA
> > >         issuer:
> > >         subject:
> > >         expires: unknown
> > >         pre-save command:
> > >         post-save command:
> > >         track: yes
> > >         auto-renew: yes
> > >
> > > Since the same setup was working to request certificates on my lab 
> > > environment I'm at a loss what is causing the error.
> > >
> > > Met vriendelijke groet,
> > >
> > Hi Wouter,
> >
> > I'm looking into this; stay tuned.
> >
> OK, I could not reproduce.  Is the issue reproducible for you?  Did
> you execute the commands by hand or as part of a script?  Can you
> provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
> 
> Cheers,
> Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to