[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Timothy Geier
tgeier at accertify.com
Mon Mar 28 18:18:57 UTC 2016
> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tscherf at redhat.com> wrote:
>
> On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
>> To follow up on this issue, we haven’t been able to get any further since
>> last month due to the missing caServerCert profile..the configuration
>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
>> and are identical. The pki-ca package
>> passes rpm -V as well. Are there any other troubleshooting steps we can
>> take?
>
> Can you please check if the profile is available in the LDAP trees:
>
> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
dn: cn=certprofiles,cn=ca,$suffix
objectClass: nsContainer
objectClass: top
cn: certprofiles
> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
dn: ou=certificateProfiles,ou=ca,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: certificateProfiles
>
> If this is the case, please check if the profile is accessable by the
> host:
>
> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
>
ipa: ERROR: caIPAserviceCert: Certificate Profile not found
> I either suspect that the profiles have not been properly migrated to
> the LDAP tree or that some ACIs are missing to allow access to the
> profiles.
>
I suspect you’re right..I ran these same commands on a reference system and there was
a lot more output in the ldapsearches and the ipa certprofile-show command came back with
Profile ID: caIPAserviceCert
Profile description: Standard profile for network services
Store issued certificates: TRUE
Thanks,
> Cheers,
> Thorsten
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
"This message and any attachments may contain confidential information. If you
have received this message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
More information about the Freeipa-users
mailing list