On [Tue, 29.03.2016 20:53], Timothy Geier wrote:

On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <tsch...@redhat.com> wrote:

On [Mon, 28.03.2016 18:18], Timothy Geier wrote:

On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tsch...@redhat.com> wrote:

On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
To follow up on this issue, we haven’t been able to get any further since
last month due to the missing caServerCert profile..the configuration
files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
and are identical.   The pki-ca package
passes rpm -V as well.   Are there any other troubleshooting steps we can

Can you please check if the profile is available in the LDAP trees:

# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix

dn: cn=certprofiles,cn=ca,$suffix
objectClass: nsContainer
objectClass: top
cn: certprofiles

# ldapsearch -LLLx -D "cn=Directory Manager" -W -b 

dn: ou=certificateProfiles,ou=ca,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: certificateProfiles

If this is the case, please check if the profile is accessable by the

# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert

ipa: ERROR: caIPAserviceCert: Certificate Profile not found

I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the

I suspect you’re right..I ran these same commands on a reference system and 
there was
a lot more output in the ldapsearches and the ipa certprofile-show command came 
back with
Profile ID: caIPAserviceCert
Profile description: Standard profile for network services
Store issued certificates: TRUE

Yes, this is a known issue which has been fixed in the most recent
FreeIPA releases 4.2.4 and 4.3.1.
I would recommend to upgrade your system to one of those releases. If this is 
not feasible, I can send you instructions how to fix the issue manually.

It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported?

The CentOS and Red Hat updates won't be released before May. The FreeIPA
updates are already available:


Also, should com.netscape.cmscore.profile be changed in 
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand?

This is only necessary if you want to fix it manually. You don't need to
change it when you apply the updated packages.




"This message and any attachments may contain confidential information. If you
have received this  message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to