[Freeipa-users] Certificate Profile - Policy Set Not Found

wouter.hummelink at kpn.com wouter.hummelink at kpn.com
Wed Dec 9 10:46:06 UTC 2015 

Hello,

Im trying to import and use a certificate profile in IPAv4.2 on RHEL.

I've exported the default caIPAServiceCert profile and did the following modification:
< profileId=caIPAserviceCert
---
> profileId=KPNWebhostingAEM
87c87
< policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN
---
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN

Profile
  Profile ID: KPNWebhostingAEM
  Profile description: KPN Webhosting AEM
  Store issued certificates: TRUE

CAACL
  ACL name: ING Intermediairs AEM Application Servers
  Enabled: TRUE
  Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
  Host Groups: xxx_accp_applications, xxx_prod_applications

Trying to request a certificate for a server
ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM

Results in:
ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID 'mongo2':
        status: CA_UNREACHABLE
        ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).
        stuck: no
        key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.

Met vriendelijke groet,

Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
Telefoon: +31 (0)6 1288 2447
[cid:image002.png at 01D0DA65.706AE4B0]
P Save Paper - Do you really need to print this e-mail?
*********************************************************************************************************************************************************
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.
*********************************************************************************************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151209/5156c9cf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2045 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151209/5156c9cf/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 49569 bytes
Desc: image002.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151209/5156c9cf/attachment.png>

More information about the Freeipa-users mailing list