[Freeipa-users] Certificate Profile - Policy Set Not Found
wouter.hummelink at kpn.com
wouter.hummelink at kpn.com
Thu Dec 10 07:32:13 UTC 2015
Attached are yesterdays debug log from pki-tomcat
I tried these actions several times, both scripted and manually
Curiously, I did a resubmit just now and I got issued a correct certificate.
Van: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Namens wouter.hummelink at kpn.com
Verzonden: donderdag 10 december 2015 08:05
Aan: ftweedal at redhat.com
CC: freeipa-users at redhat.com
Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found
I'll send the log as soon as I get a chance. After the mail I also tried fetching a cert on another server cent7.1 that never had a cert issued. This resulted in a cert conformant
With caIpaServiceCert
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Van: Fraser Tweedale <ftweedal at redhat.com<mailto:ftweedal at redhat.com>>
Datum: 2015-12-10 03:58 (GMT+01:00)
Aan: "Hummelink, Wouter" <wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found
On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 09, 2015 at 10:46:06AM +0000, wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com> wrote:
> > Hello,
> >
> > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> >
> > I've exported the default caIPAServiceCert profile and did the following modification:
> > < profileId=caIPAserviceCert
> > ---
> > > profileId=KPNWebhostingAEM
> > 87c87
> > < policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=IPADOMAIN
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=TESTAEM, O=IPADOMAIN
> >
> > Profile
> > Profile ID: KPNWebhostingAEM
> > Profile description: KPN Webhosting AEM
> > Store issued certificates: TRUE
> >
> > CAACL
> > ACL name: ING Intermediairs AEM Application Servers
> > Enabled: TRUE
> > Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > Host Groups: xxx_accp_applications, xxx_prod_applications
> >
> > Trying to request a certificate for a server
> > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k /etc/pki/tls/certs/host.key -TKPNWebhostingAEM
> >
> > Results in:
> > ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID 'mongo2':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Policy Set Not Found)).
> > stuck: no
> > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Since the same setup was working to request certificates on my lab environment I'm at a loss what is causing the error.
> >
> > Met vriendelijke groet,
> >
> Hi Wouter,
>
> I'm looking into this; stay tuned.
>
OK, I could not reproduce. Is the issue reproducible for you? Did
you execute the commands by hand or as part of a script? Can you
provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
Cheers,
Fraser
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151210/45e70b1c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-debug.log.gz
Type: application/x-gzip
Size: 141988 bytes
Desc: pki-debug.log.gz
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151210/45e70b1c/attachment.bin>
More information about the Freeipa-users
mailing list