On [Tue, 29.03.2016 20:53], Timothy Geier wrote:
On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <tsch...@redhat.com> wrote:
On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tsch...@redhat.com> wrote:
On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
To follow up on this issue, we haven’t been able to get any further since
last month due to the missing caServerCert profile..the configuration
and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
and are identical. The pki-ca package
passes rpm -V as well. Are there any other troubleshooting steps we can
Can you please check if the profile is available in the LDAP trees:
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b
If this is the case, please check if the profile is accessable by the
# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
ipa: ERROR: caIPAserviceCert: Certificate Profile not found
I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the
I suspect you’re right..I ran these same commands on a reference system and
a lot more output in the ldapsearches and the ipa certprofile-show command came
Profile ID: caIPAserviceCert
Profile description: Standard profile for network services
Store issued certificates: TRUE
Yes, this is a known issue which has been fixed in the most recent
FreeIPA releases 4.2.4 and 4.3.1.
I would recommend to upgrade your system to one of those releases. If this is
not feasible, I can send you instructions how to fix the issue manually.
It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported?
The CentOS and Red Hat updates won't be released before May. The FreeIPA
updates are already available:
Also, should com.netscape.cmscore.profile be changed in
This is only necessary if you want to fix it manually. You don't need to
change it when you apply the updated packages.
"This message and any attachments may contain confidential information. If you
have received this message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project