[Freeipa-users] Certificate Profile - Policy Set Not Found
Fraser Tweedale
ftweedal at redhat.com
Thu Dec 10 02:58:05 UTC 2015
On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink at kpn.com wrote:
> > Hello,
> >
> > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> >
> > I've exported the default caIPAServiceCert profile and did the following modification:
> > < profileId=caIPAserviceCert
> > ---
> > > profileId=KPNWebhostingAEM
> > 87c87
> > < policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN
> >
> > Profile
> > Profile ID: KPNWebhostingAEM
> > Profile description: KPN Webhosting AEM
> > Store issued certificates: TRUE
> >
> > CAACL
> > ACL name: ING Intermediairs AEM Application Servers
> > Enabled: TRUE
> > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > Host Groups: xxx_accp_applications, xxx_prod_applications
> >
> > Trying to request a certificate for a server
> > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key -TKPNWebhostingAEM
> >
> > Results in:
> > ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID 'mongo2':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).
> > stuck: no
> > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.
> >
> > Met vriendelijke groet,
> >
> Hi Wouter,
>
> I'm looking into this; stay tuned.
>
OK, I could not reproduce. Is the issue reproducible for you? Did
you execute the commands by hand or as part of a script? Can you
provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
Cheers,
Fraser
More information about the Freeipa-users
mailing list