On [Mon, 28.03.2016 18:18], Timothy Geier wrote:


On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tsch...@redhat.com> wrote:

On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
 To follow up on this issue, we haven’t been able to get any further since
 last month due to the missing caServerCert profile..the configuration
 files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
 and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
 and are identical.   The pki-ca package
 passes rpm -V as well.   Are there any other troubleshooting steps we can
 take?

Can you please check if the profile is available in the LDAP trees:

# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix

dn: cn=certprofiles,cn=ca,$suffix
objectClass: nsContainer
objectClass: top
cn: certprofiles

# ldapsearch -LLLx -D "cn=Directory Manager" -W -b 
ou=certificateProfiles,ou=ca,o=ipaca

dn: ou=certificateProfiles,ou=ca,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: certificateProfiles


If this is the case, please check if the profile is accessable by the
host:

# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert


ipa: ERROR: caIPAserviceCert: Certificate Profile not found

I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the
profiles.


I suspect you’re right..I ran these same commands on a reference system and 
there was
a lot more output in the ldapsearches and the ipa certprofile-show command came 
back with
 Profile ID: caIPAserviceCert
 Profile description: Standard profile for network services
 Store issued certificates: TRUE

Yes, this is a known issue which has been fixed in the most recent
FreeIPA releases 4.2.4 and 4.3.1. I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually.

Cheers,
Thorsten

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to