Hello, This is already logged here <https://pagure.io/freeipa/issue/8738>, and will be fixed soon.
On Sun, Mar 21, 2021 at 2:45 PM Antoine Gatineau via FreeIPA-users < [email protected]> wrote: > Hello, > > So I'm trying out the new acme feature in freeipa version > 4.9.0-1.module_el8.4.0+639+a88aab78 from CentOS Stream 8. > > My setup is a rebuild from replica (fresh install on centos stream as a > replica of a centos 8 non-stream existing replica). > > I enabled acme using "sudo ipa-acme-manage enable" > > From an ipa-client, I can successfully perform a certbot register. But > certbot certonly --standalone etc... fails with the error : > 2021-03-21 09:54:07,083:DEBUG:acme.client:Received response: > HTTP 500 > Date: Sun, 21 Mar 2021 08:54:05 GMT > Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g mod_auth_gssapi/1.6.1 > mod_wsgi/4.6.4 Python/3.6 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 6750 > Connection: close > > <!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal > Server Error</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background- > color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 > {font-size:14px;} p {font-size:12px;} a {color:black;} .line > {height:1px;background- > color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – > Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception > Report</p><p><b>Message</b> > com.netscape.certsrv.base.BadRequestException: Unable to get enrollment > template for acmeIPAServerCert: Profile not found</p><p><b>Description</b> > The server encountered an unexpected condition that > prevented it from fulfilling the > request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: > com.netscape.certsrv.base.BadRequestException: Unable to get enrollment > template for > acmeIPAServerCert: Profile not found > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78) > > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222) > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179) > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422) > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > java.security.AccessController.doPrivileged(Native Method) > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source) > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > </pre><p><b>Root > Cause</b></p><pre>com.netscape.certsrv.base.BadRequestException: Unable to > get enrollment template for acmeIPAServerCert: Profile not found > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:135) > com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:143) > com.netscape.certsrv.ca > .CACertClient.getEnrollmentTemplate(CACertClient.java:167) > > org.dogtagpki.acme.issuer.PKIIssuer.issueCertificate(PKIIssuer.java:148) > > org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST(ACMEFinalizeOrderService.java:91) > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > java.security.AccessController.doPrivileged(Native Method) > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source) > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > java.lang.reflect.Method.invoke(Method.java:498) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > java.security.AccessController.doPrivileged(Native Method) > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > </pre><p><b>Note</b> The full stack trace of the root cause is available > in the server logs.</p><hr class="line" /><h3>Apache > Tomcat/9.0.30</h3></body></html> > 2021-03-21 09:54:07,084:DEBUG:certbot.log:Exiting abnormally: > Traceback (most recent call last): > File "/usr/bin/certbot", line 11, in <module> > load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')() > File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main > return config.func(config, plugins) > File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in > certonly > lineage = _get_and_save_cert(le_client, config, domains, certname, > lineage) > File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in > _get_and_save_cert > lineage = le_client.obtain_and_enroll_certificate(domains, certname) > File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in > obtain_and_enroll_certificate > cert, chain, key, _ = self.obtain_certificate(domains) > File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in > obtain_certificate > cert, chain = self.obtain_certificate_from_csr(csr, orderr) > File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in > obtain_certificate_from_csr > orderr = self.acme.finalize_order(orderr, deadline) > File "/usr/lib/python3/dist-packages/acme/client.py", line 927, in > finalize_order > return self.client.finalize_order(orderr, deadline) > File "/usr/lib/python3/dist-packages/acme/client.py", line 754, in > finalize_order > self._post(orderr.body.finalize, wrapped_csr) > File "/usr/lib/python3/dist-packages/acme/client.py", line 96, in _post > return self.net.post(*args, **kwargs) > File "/usr/lib/python3/dist-packages/acme/client.py", line 1204, in post > return self._post_once(*args, **kwargs) > File "/usr/lib/python3/dist-packages/acme/client.py", line 1218, in > _post_once > response = self._check_response(response, content_type=content_type) > File "/usr/lib/python3/dist-packages/acme/client.py", line 1079, in > _check_response > raise errors.ClientError(response) > acme.errors.ClientError: <Response [500]> > 2021-03-21 09:54:07,084:ERROR:certbot.log:An unexpected error occurred: > > From what I gathered pki-server should use the profile defined in freeipa > right? > $ sudo ls -l /usr/share/ipa/profiles/acmeIPAServerCert.cfg > -rw-r--r--. 1 root root 6707 Dec 23 15:38 > /usr/share/ipa/profiles/acmeIPAServerCert.cfg > > What's the best way to fix the configuration? > Is it best to open a bug for this? I know centos stream is not yet up to > date, so it's maybe already fixed. > > Thanks > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- -- Regards Mohammad Rizwan Shaikh He/Him/His Senior Software Quality Engineer Red Hat Pune <https://www.redhat.com> [email protected] M: +91-9823948657 IM: rizwan <https://red.ht/sig>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
