On [Tue, 29.03.2016 20:53], Timothy Geier wrote:
On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <[email protected]> wrote:
On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <[email protected]> wrote:
On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
To follow up on this issue, we haven’t been able to get any further since
last month due to the missing caServerCert profile..the configuration
files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
and are identical. The pki-ca package
passes rpm -V as well. Are there any other troubleshooting steps we can
take?
Can you please check if the profile is available in the LDAP trees:
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
dn: cn=certprofiles,cn=ca,$suffix
objectClass: nsContainer
objectClass: top
cn: certprofiles
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b
ou=certificateProfiles,ou=ca,o=ipaca
dn: ou=certificateProfiles,ou=ca,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: certificateProfiles
If this is the case, please check if the profile is accessable by the
host:
# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
ipa: ERROR: caIPAserviceCert: Certificate Profile not found
I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the
profiles.
I suspect you’re right..I ran these same commands on a reference system and
there was
a lot more output in the ldapsearches and the ipa certprofile-show command came
back with
Profile ID: caIPAserviceCert
Profile description: Standard profile for network services
Store issued certificates: TRUE
Yes, this is a known issue which has been fixed in the most recent
FreeIPA releases 4.2.4 and 4.3.1.
I would recommend to upgrade your system to one of those releases. If this is
not feasible, I can send you instructions how to fix the issue manually.
It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported?
The CentOS and Red Hat updates won't be released before May. The FreeIPA
updates are already available:
http://www.freeipa.org/page/Releases/4.2.4
http://www.freeipa.org/page/Releases/4.3.1
Also, should com.netscape.cmscore.profile be changed in
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand?
This is only necessary if you want to fix it manually. You don't need to
change it when you apply the updated packages.
Cheers,
Thorsten
Thanks,
Cheers,
Thorsten
"This message and any attachments may contain confidential information. If you
have received this message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
