<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <div> <div>I did change profile Id as shown in the diff. No other changes.</div> <div><br> </div> <div><br> </div> <div><br> </div> <div id="x_composer_signature"> <div style="font-size:85%; color:#575757">Verzonden vanaf mijn Samsung-apparaat</div> </div> <br> <br> -------- Oorspronkelijk bericht --------<br> Van: Fraser Tweedale <ftweedal@redhat.com> <br> Datum: 2015-12-10 04:04 (GMT+01:00) <br> Aan: "Hummelink, Wouter" <wouter.hummelink@kpn.com> <br> Cc: freeipa-users@redhat.com <br> Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found <br> <br> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText">On Thu, Dec 10, 2015 at 12:58:05PM +1000, Fraser Tweedale wrote:<br> > On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:<br> > > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink@kpn.com wrote:<br> > > > Hello,<br> > > > <br> > > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.<br> > > > <br> > > > I've exported the default caIPAServiceCert profile and did the following modification:<br> > > > < profileId=caIPAserviceCert<br> > > > ---<br> > > > > profileId=KPNWebhostingAEM<br> > > > 87c87<br> > > > < policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN<br> > > > ---<br> > > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN<br> > > > <br> > > > Profile<br> > > > Profile ID: KPNWebhostingAEM<br> > > > Profile description: KPN Webhosting AEM<br> > > > Store issued certificates: TRUE<br> > > > <br> > > > CAACL<br> > > > ACL name: ING Intermediairs AEM Application Servers<br> > > > Enabled: TRUE<br> > > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM<br> > > > Host Groups: xxx_accp_applications, xxx_prod_applications<br> > > > <br> > > > Trying to request a certificate for a server<br> > > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key -TKPNWebhostingAEM<br> > > > <br> > > > Results in:<br> > > > ipa-getcert list<br> > > > Number of certificates and requests being tracked: 1.<br> > > > Request ID 'mongo2':<br> > > > status: CA_UNREACHABLE<br> > > > ca-error: Server at <a href="https://pvlipa1001c.ipadomain/ipa/xml"> https://pvlipa1001c.ipadomain/ipa/xml</a> failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).<br> > > > stuck: no<br> > > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'<br> > > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'<br> > > > CA: IPA<br> > > > issuer:<br> > > > subject:<br> > > > expires: unknown<br> > > > pre-save command:<br> > > > post-save command:<br> > > > track: yes<br> > > > auto-renew: yes<br> > > > <br> > > > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.<br> > > > <br> > > > Met vriendelijke groet,<br> > > > <br> > > Hi Wouter,<br> > > <br> > > I'm looking into this; stay tuned.<br> > > <br> > OK, I could not reproduce. Is the issue reproducible for you? Did<br> > you execute the commands by hand or as part of a script? Can you<br> > provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?<br> ><br> Oh, and did you make any changes to the profile configuration<br> besides those you mentioned; the profileId and Subject Name pattern?<br> <br> > <br> > Cheers,<br> > Fraser<br> </div> </span></font> </body> </html>