Trying to follow and adapt https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html for issuing a Subordinate CA for a firewall appliance. For user VPN certs and testing SSL Interception.
When I try to issue the certificate I get the following error: ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Policy Set Not Found But the certprofile exists and I'm not sure what a `Policy Set` is... ipa-admin@ipa1:~$ ipa certprofile-show SubCA Profile ID: SubCA Profile description: Subordinate CA Store issued certificates: True ipa-admin@ipa1:~$ ipa caacl-show SubCA ACL name: SubCA Description: Subordinate CA Enabled: True Service category: all CAs: ipa Profiles: SubCA Users: ipa-admin Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local # /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no profile policy set found 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create enrollment request: Policy Set Not Found # /var/log/httpd/error_log [Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] [remote 192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] [email protected]: cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\*********************=\\n-----END CERTIFICATE REQUEST-----\\n', profile_id='SubCA', principal='host/subca-fw01.domain.local', version='2.245'): HTTPRequestError Please ignore the different timestamps, they're various attempts all with the same log messages. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
