On Thu, May 26, 2016 at 12:08:11PM +0200, Youenn PIOLET wrote:
> Hi there,
> 
> For your information :
> I just realised today that the certificate signing using web interface was
> still broken.
> 
> I've got 3 caIPAserviceCert.cfg files on my system :
> 
> Locate  caIPAserviceCert.cfg output
> 1. New profile :  /usr/share/ipa/profiles/caIPAserviceCert.cfg
> 2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> 3. Old broken profile :
> /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
> LDAP profile version was not OK, back to the older version of profile. I
> fixed it back.
> 
> FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> > which stores profile configuration in LDAP.
> >
> 
> I think my Dogtag (in IPA web interface) was still using the files (and
> replacing the LDAP entry after a while? Or did it happen when a added a new
> replica?).
> 
Yes - installing a new replica will re-clobber the profile
configuration.

Patches to fix the problem are merged upstream and will make their
way into an upcoming bugfix release.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to