dn: cn=acmeIPAServerCert,cn=certprofiles,cn=ca,dc=ipa,dc=test objectClass: ipacertprofile objectClass: top cn: acmeIPAServerCert description: ACME IPA service certificate profile ipaCertProfileStoreIssued: FALSE
On Fri, May 12, 2023 at 03:46:46PM -0000, Nicholas Cross via FreeIPA-users wrote: > We found that we have a cert profile that was deleted in the ui > and then we attempted to re-create it, but it will not. > > ipa: ERROR: Request failed with status 409: Non-2xx response from > CA REST API: 409. Unable to create profile: Profile already exists > > The profile does not show in the UI or via the CLI > > $ ipa certprofile-find controlServersKubeAPIClustertest1 > <blank> > > $ ipa certprofile-show controlServersKubeAPIClustertest1 > <blank> > > But when checking ldap itself we can see it. > > $ ldapsearch -LLL -o ldif-wrap=no -w $pass -D 'cn=Directory Manager' -b > 'o=ipaca' | grep controlServersKubeAPIClustertest1 > dn: cn=controlServersKubeAPIClustertest1,ou=certificateProfiles,ou=ca,o=ipaca > cn: controlServersKubeAPIClustertest1 > extdata-profileid: controlServersKubeAPIClustertest1 > metaInfo: profileId:controlServersKubeAPIClustertest1 > extdata-profileid: controlServersKubeAPIClustertest1 > metaInfo: profileId:controlServersKubeAPIClustertest1 > extdata-profileid: controlServersKubeAPIClustertest1 > metaInfo: profileId:controlServersKubeAPIClustertest1 > extdata-profileid: controlServersKubeAPIClustertest1 > metaInfo: profileId:controlServersKubeAPIClustertest1 > extdata-profileid: controlServersKubeAPIClustertest1 > metaInfo: profileId:controlServersKubeAPIClustertest1 > > Apart from doing an ldapdelete on that dn: , is there a better way > to clean up that "ghost" cert profile? (and the corresponding > certs?) > > thanks, > Nick Hi Nick, There is a concept of "IPA-owned" profiles. IPA-owned profiles have a proxy entry in the IPA LDAP subtree corresponding to the Dogtag profile config entry (in the o=ipaca subtree). In your case, it looks like somehow the IPA entry got deleted without deleting the Dogtag entry. You can manually create an entry to restore it: dn: cn=controlServersKubeAPIClustertest1,cn=certprofiles,cn=ca,dc=ipa,dc=test objectClass: ipacertprofile objectClass: top cn: controlServersKubeAPIClustertest1 description: DESCRIPTION GOES HERE ipaCertProfileStoreIssued: FALSE # or TRUE; whatever is appropriate If this issue - profile removal removal via IPA WebUI (or `ipa' CLI) does not remove Dogtag profile config entry - is reproducible, please file an issue at https://pagure.io/freeipa/issues. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
