[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Rob Crittenden rcritten at redhat.com
Fri Nov 8 14:41:50 UTC 2013 

Andrea Bontempi wrote:
> Here the log /var/log/pki/pki-tomcat/ca/debug
>
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='xmlOutput' value='true'
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='requestor_name' value='IPA Installer'
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='profileId' value='caServerCert'
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request_type' value='pkcs10'
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start to service.
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal false
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data provided in processing request: Profile caServerCert Not Found
> [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 13:40:43 CET 2013 id=caProfileSubmit time=100
>
> Log /var/log/pki/pki-tomcat/ca/system:
>
> 1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
> 1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException

Ok, I'm not sure if the caServerCert error is a red herring or not. Does 
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca 
pass?

I wonder if the certificate you're passing is valid. Can openssl x509 
-text -in /path/to/ca.crt show the cert ok?

rob

More information about the Freeipa-users mailing list