On Thu, May 26, 2016 at 12:08:11PM +0200, Youenn PIOLET wrote: > Hi there, > > For your information : > I just realised today that the certificate signing using web interface was > still broken. > > I've got 3 caIPAserviceCert.cfg files on my system : > > Locate caIPAserviceCert.cfg output > 1. New profile : /usr/share/ipa/profiles/caIPAserviceCert.cfg > 2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > 3. Old broken profile : > /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg > LDAP profile version was not OK, back to the older version of profile. I > fixed it back. > > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > > which stores profile configuration in LDAP. > > > > I think my Dogtag (in IPA web interface) was still using the files (and > replacing the LDAP entry after a while? Or did it happen when a added a new > replica?). > Yes - installing a new replica will re-clobber the profile configuration.
Patches to fix the problem are merged upstream and will make their way into an upcoming bugfix release. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
