> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <[email protected]> wrote: > > On [Mon, 28.03.2016 18:18], Timothy Geier wrote: >> >>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <[email protected]> wrote: >>> >>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: >>>> To follow up on this issue, we haven’t been able to get any further since >>>> last month due to the missing caServerCert profile..the configuration >>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >>>> and are identical. The pki-ca package >>>> passes rpm -V as well. Are there any other troubleshooting steps we can >>>> take? >>> >>> Can you please check if the profile is available in the LDAP trees: >>> >>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b >>> cn=certprofiles,cn=ca,$suffix >> >> dn: cn=certprofiles,cn=ca,$suffix >> objectClass: nsContainer >> objectClass: top >> cn: certprofiles >> >>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b >>> ou=certificateProfiles,ou=ca,o=ipaca >> >> dn: ou=certificateProfiles,ou=ca,o=ipaca >> objectClass: top >> objectClass: organizationalUnit >> ou: certificateProfiles >> >>> >>> If this is the case, please check if the profile is accessable by the >>> host: >>> >>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert >>> >> >> ipa: ERROR: caIPAserviceCert: Certificate Profile not found >> >>> I either suspect that the profiles have not been properly migrated to >>> the LDAP tree or that some ACIs are missing to allow access to the >>> profiles. >>> >> >> I suspect you’re right..I ran these same commands on a reference system and >> there was >> a lot more output in the ldapsearches and the ipa certprofile-show command >> came back with >> Profile ID: caIPAserviceCert >> Profile description: Standard profile for network services >> Store issued certificates: TRUE > > Yes, this is a known issue which has been fixed in the most recent > FreeIPA releases 4.2.4 and 4.3.1. > I would recommend to upgrade your system to one of those releases. If this is > not feasible, I can send you instructions how to fix the issue manually. >
It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported? Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand? Thanks, > Cheers, > Thorsten > "This message and any attachments may contain confidential information. If you have received this message in error, any use or distribution is prohibited. Please notify us by reply e-mail if you have mistakenly received this message, and immediately and permanently delete it and any attachments. Thank you." -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
