<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <div> <div>I'll send the log as soon as I get a chance. After the mail I also tried fetching a cert on another server cent7.1 that never had a cert issued. This resulted in a cert conformant</div> <div>With caIpaServiceCert</div> <div><br> </div> <div><br> </div> <div id="x_composer_signature"> <div style="font-size:85%; color:#575757">Verzonden vanaf mijn Samsung-apparaat</div> </div> <br> <br> -------- Oorspronkelijk bericht --------<br> Van: Fraser Tweedale <ftweedal@redhat.com> <br> Datum: 2015-12-10 03:58 (GMT+01:00) <br> Aan: "Hummelink, Wouter" <wouter.hummelink@kpn.com> <br> Cc: freeipa-users@redhat.com <br> Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found <br> <br> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText">On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:<br> > On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink@kpn.com wrote:<br> > > Hello,<br> > > <br> > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.<br> > > <br> > > I've exported the default caIPAServiceCert profile and did the following modification:<br> > > < profileId=caIPAserviceCert<br> > > ---<br> > > > profileId=KPNWebhostingAEM<br> > > 87c87<br> > > < policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN<br> > > ---<br> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN<br> > > <br> > > Profile<br> > > Profile ID: KPNWebhostingAEM<br> > > Profile description: KPN Webhosting AEM<br> > > Store issued certificates: TRUE<br> > > <br> > > CAACL<br> > > ACL name: ING Intermediairs AEM Application Servers<br> > > Enabled: TRUE<br> > > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM<br> > > Host Groups: xxx_accp_applications, xxx_prod_applications<br> > > <br> > > Trying to request a certificate for a server<br> > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key -TKPNWebhostingAEM<br> > > <br> > > Results in:<br> > > ipa-getcert list<br> > > Number of certificates and requests being tracked: 1.<br> > > Request ID 'mongo2':<br> > > status: CA_UNREACHABLE<br> > > ca-error: Server at <a href="https://pvlipa1001c.ipadomain/ipa/xml">https://pvlipa1001c.ipadomain/ipa/xml</a> failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).<br> > > stuck: no<br> > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'<br> > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'<br> > > CA: IPA<br> > > issuer:<br> > > subject:<br> > > expires: unknown<br> > > pre-save command:<br> > > post-save command:<br> > > track: yes<br> > > auto-renew: yes<br> > > <br> > > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.<br> > > <br> > > Met vriendelijke groet,<br> > > <br> > Hi Wouter,<br> > <br> > I'm looking into this; stay tuned.<br> > <br> OK, I could not reproduce. Is the issue reproducible for you? Did<br> you execute the commands by hand or as part of a script? Can you<br> provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?<br> <br> Cheers,<br> Fraser<br> </div> </span></font> </body> </html>