On Mon, Mar 28, 2016 at 10:55:06AM -0500, Endi Sukma Dewata wrote:
> On 3/28/2016 10:00 AM, Rob Crittenden wrote:
> >Timothy Geier wrote:
> >>>Thanks for the procedure..the good news is this worked quite
> >>>well in making sure that 389 didn’t crash immediately after
> >>>startup. The bad news is that the certificates still didn’t
> >>>renew due to
> >>>Server at "http://master_server:8080/ca/ee/ca/profileSubmit
> >>>replied: Profile caServerCert Not Found
> >>>which was the same error in getcert list I saw that one time
> >>>389 didn’t crash right away. At least now this can be further
> >>>troubleshooted without worrying about 389.
> >>To follow up on this issue, we haven’t been able to get any
> >>further since last month due to the missing caServerCert
> >>profile..the configuration files
> >>/usr/share/pki/ca/profiles/ca/caServerCert.cfg and
> >>/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are
> >>present and are identical. The pki-ca package passes rpm -V as
> >>well. Are there any other troubleshooting steps we can take?
> >Maybe Endi or Ade have some ideas why the CA isn't recognizing
> >the profile.
> Fraser, is it possible the profile is missing from LDAP?
There is a ticket for a situation where migration of profiles to
LDAP does not occur:
See also upstream ticket:
The fix is awaiting release for RHEL.
A possible workaround is to modify
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg, replacing the value:
Then running `ipa-server-upgrade`. The upgrade program should
observe that LDAP-based profiles are not enabled, re-enable the
LDAPProfileSubsystem and import all file-based profiles into the
If you are able to try this procedure, let me know how it goes.
> Timothy, could you provide us with the CA debug logs
> (/var/log/pki/pki-tomcat/ca/debug) and CA configuration file
> Endi S. Dewata
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project