On Tue, May 02, 2023 at 12:40:55AM -0000, Djerk Geurts via FreeIPA-users wrote: > Trying to follow and adapt > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > for issuing a Subordinate CA for a firewall appliance. For user VPN certs > and testing SSL Interception. > > When I try to issue the certificate I get the following error: > > ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal > host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem > ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST > API: 500. Unable to create enrollment request: Policy Set Not Found > The policy set is part of the profile configuration, so this error suggests an error in the profile configuration. Have a look at the raw profile configuration:
ipa certprofile-show --out SubCA.cfg SubCA If you can't figure it out, please share the raw profile configuration here as the next step. Thanks, Fraser > But the certprofile exists and I'm not sure what a `Policy Set` is... > > ipa-admin@ipa1:~$ ipa certprofile-show SubCA > Profile ID: SubCA > Profile description: Subordinate CA > Store issued certificates: True > ipa-admin@ipa1:~$ ipa caacl-show SubCA > ACL name: SubCA > Description: Subordinate CA > Enabled: True > Service category: all > CAs: ipa > Profiles: SubCA > Users: ipa-admin > Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local > > # /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log > 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no > profile policy set found > 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create > enrollment request: Policy Set Not Found > > # /var/log/httpd/error_log > [Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] > [remote 192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] > [email protected]: cert_request/1('-----BEGIN CERTIFICATE > REQUEST-----\\*********************=\\n-----END CERTIFICATE REQUEST-----\\n', > profile_id='SubCA', principal='host/subca-fw01.domain.local', > version='2.245'): HTTPRequestError > > Please ignore the different timestamps, they're various attempts all with the > same log messages. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
