On Thu, Dec 10, 2015 at 07:04:33AM +0000, [email protected] wrote: > I'll send the log as soon as I get a chance. After the mail I also tried > fetching a cert on another server cent7.1 that never had a cert issued. This > resulted in a cert conformant > With caIpaServiceCert > That is expected behaviour - only RHEL 7.2 version of Certmonger propagates the requested profile (`-T' option) to the IPA CA.
> > Verzonden vanaf mijn Samsung-apparaat > > > -------- Oorspronkelijk bericht -------- > Van: Fraser Tweedale <[email protected]> > Datum: 2015-12-10 03:58 (GMT+01:00) > Aan: "Hummelink, Wouter" <[email protected]> > Cc: [email protected] > Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found > > On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote: > > On Wed, Dec 09, 2015 at 10:46:06AM +0000, [email protected] wrote: > > > Hello, > > > > > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL. > > > > > > I've exported the default caIPAServiceCert profile and did the following > > > modification: > > > < profileId=caIPAserviceCert > > > --- > > > > profileId=KPNWebhostingAEM > > > 87c87 > > > < > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > O=IPADOMAIN > > > --- > > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > > > > OU=TESTAEM, O=IPADOMAIN > > > > > > Profile > > > Profile ID: KPNWebhostingAEM > > > Profile description: KPN Webhosting AEM > > > Store issued certificates: TRUE > > > > > > CAACL > > > ACL name: ING Intermediairs AEM Application Servers > > > Enabled: TRUE > > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM > > > Host Groups: xxx_accp_applications, xxx_prod_applications > > > > > > Trying to request a certificate for a server > > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k > > > /etc/pki/tls/certs/host.key -TKPNWebhostingAEM > > > > > > Results in: > > > ipa-getcert list > > > Number of certificates and requests being tracked: 1. > > > Request ID 'mongo2': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed > > > request, will retry: 4301 (RPC failed at server. Certificate operation > > > cannot be completed: FAILURE (Policy Set Not Found)). > > > stuck: no > > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key' > > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt' > > > CA: IPA > > > issuer: > > > subject: > > > expires: unknown > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > Since the same setup was working to request certificates on my lab > > > environment I'm at a loss what is causing the error. > > > > > > Met vriendelijke groet, > > > > > Hi Wouter, > > > > I'm looking into this; stay tuned. > > > OK, I could not reproduce. Is the issue reproducible for you? Did > you execute the commands by hand or as part of a script? Can you > provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)? > > Cheers, > Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
