[Freeipa-users] Certificate Profile - Policy Set Not Found

Fraser Tweedale ftweedal at redhat.com
Thu Dec 10 02:58:05 UTC 2015 

On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink at kpn.com wrote:
> > Hello,
> > 
> > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > 
> > I've exported the default caIPAServiceCert profile and did the following modification:
> > < profileId=caIPAserviceCert
> > ---
> > > profileId=KPNWebhostingAEM
> > 87c87
> > < policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN
> > 
> > Profile
> >   Profile ID: KPNWebhostingAEM
> >   Profile description: KPN Webhosting AEM
> >   Store issued certificates: TRUE
> > 
> > CAACL
> >   ACL name: ING Intermediairs AEM Application Servers
> >   Enabled: TRUE
> >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > 
> > Trying to request a certificate for a server
> > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > 
> > Results in:
> > ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID 'mongo2':
> >         status: CA_UNREACHABLE
> >         ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).
> >         stuck: no
> >         key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> >         certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> >         CA: IPA
> >         issuer:
> >         subject:
> >         expires: unknown
> >         pre-save command:
> >         post-save command:
> >         track: yes
> >         auto-renew: yes
> > 
> > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.
> > 
> > Met vriendelijke groet,
> > 
> Hi Wouter,
> 
> I'm looking into this; stay tuned.
> 
OK, I could not reproduce.  Is the issue reproducible for you?  Did
you execute the commands by hand or as part of a script?  Can you
provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?

Cheers,
Fraser

More information about the Freeipa-users mailing list