[Freeipa-users] Unable to get new certificates after upgrade

Martin Babinsky mbabinsk at redhat.com
Mon Feb 29 08:34:01 UTC 2016 

On 02/27/2016 09:36 PM, Alessandro De Maria wrote:
> Hello list,
>
> I was running freeipa 4.1 on Centos 7.1.
> I wanted to upgrade to freeipa 4.2.x to make use of user certificates.
>
> Upgrade (through yum upgrade) went ok and I am now on version:
> Name        : ipa-server
> Version     : 4.2.0
> Release     : 15.el7_2.6
>
>
> However I am unable to generate new certificates (this functionality was
> working perfectly before)
>
> When I use ipa-getcert request I get the following message (ipa-getcert
> list)
> /*Failed request, will retry: 4001 (RPC failed at server.
> caIPAserviceCert: Certificate Profile not found
> */
> I read this blog:
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
>
> I tried the following:
> $ ipa certprofile-show caIPAserviceCert
> ipa: ERROR: caIPAserviceCert: Certificate Profile not found
>
>
> So i tried to download /*caIPAserviceCert*/ from this url and importing it:
>
> $ wget
> https://raw.githubusercontent.com/encukou/freeipa/master/install/share/profiles/caIPAserviceCert.cfg
>
> $ ipa certprofile-import caIPAserviceCert --file caIPAserviceCert.cfg
> --desc "Default certificates" --store TRUE
> ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Profile
> already exists
>
> So I imported it with another profile name (caIPAserviceCert_new) and
> that worked (I can see it from the web interface, but I cannot see
> caIPAserviceCert there)
>
> I tried to use:
> ipa-getcert request -T caIPAserviceCert_new  ... ... ...
>
> and that still gives the the infamous message above:
> /*Failed request, will retry: 4001 (RPC failed at server.
> caIPAserviceCert: Certificate Profile not found*/
> /*
> */
> Could someone help me out please? I noticed that 4.2.3 is out with
> important bug fixes, is there a repository out there with Centos rmps?
>
> Regards
> Alessandro
> --
>
>
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>
>

Hi Alessandro,

you probably hit https://fedorahosted.org/freeipa/ticket/5682: a fix for 
this issue is underway to the downstream. Meanwhile you can try the 
following workaround:

1.) open /etc/pki/pki-tomcat/conf/ca/CS.cfg file and locate a line 
similar to the following:

"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"

2.) Replace the "LDAPProfileSubsystem" part of the directive with 
"ProfileSubsystem".

3.) Run "ipa-server-upgrade" to trigger the addition of profiles to LDAP 
manually

4.) As directory manager, run
"""
ldapsearch -D 'cn=Directory Manager' -W -b 
'ou=CertificateProfiles,ou=ca,o=ipaca' '(objectclass=certProfile)'
"""

You should get a list of profiles with base64-encoded configurations and 
the certificate requests should work as usual.

-- 
Martin^3 Babinsky

More information about the Freeipa-users mailing list