[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Thorsten Scherf
tscherf at redhat.com
Mon Mar 28 17:53:35 UTC 2016
On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
> To follow up on this issue, we haven’t been able to get any further since
> last month due to the missing caServerCert profile..the configuration
> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
> and are identical. The pki-ca package
> passes rpm -V as well. Are there any other troubleshooting steps we can
> take?
Can you please check if the profile is available in the LDAP trees:
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
# ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
If this is the case, please check if the profile is accessable by the
host:
# kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
I either suspect that the profiles have not been properly migrated to
the LDAP tree or that some ACIs are missing to allow access to the
profiles.
Cheers,
Thorsten
More information about the Freeipa-users
mailing list