On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
  To follow up on this issue, we haven’t been able to get any further since
  last month due to the missing caServerCert profile..the configuration
  files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
  and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
  and are identical.   The pki-ca package
  passes rpm -V as well.   Are there any other troubleshooting steps we can
  take?


Can you please check if the profile is available in the LDAP trees:

# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
If this is the case, please check if the profile is accessable by the
host:

# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert

I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the
profiles.

Cheers,
Thorsten

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to