[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Fraser Tweedale ftweedal at redhat.com
Tue Mar 29 00:01:48 UTC 2016 

On Mon, Mar 28, 2016 at 10:55:06AM -0500, Endi Sukma Dewata wrote:
> On 3/28/2016 10:00 AM, Rob Crittenden wrote:
> >Timothy Geier wrote:
> >>>Thanks for the procedure..the good news is this worked quite
> >>>well in making sure that 389 didn’t crash immediately after
> >>>startup.  The bad news is that the certificates still didn’t
> >>>renew due to
> >>>
> >>>Server at "http://master_server:8080/ca/ee/ca/profileSubmit
> >>><https://mail.accertify.com/owa/redir.aspx?REF=hBo37W2qnlmUfAeXTrhGw6WdavZzsQoMPQ85UuuxxhZLgX6LCUDTCAFodHRwOi8vbWFzdGVyX3NlcnZlcjo4MDgwL2NhL2VlL2NhL3Byb2ZpbGVTdWJtaXQ.>"
> >>>
> >>>replied: Profile caServerCert Not Found
> >>>
> >>>which was the same error in getcert list I saw that one time
> >>>389 didn’t crash right away.  At least now this can be further
> >>>troubleshooted without worrying about 389.
> >>>
> >>>
> >>
> >>To follow up on this issue, we haven’t been able to get any
> >>further since last month due to the missing caServerCert
> >>profile..the configuration files
> >>/usr/share/pki/ca/profiles/ca/caServerCert.cfg and
> >>/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are
> >>present and are identical.   The pki-ca package passes rpm -V as
> >>well.   Are there any other troubleshooting steps we can take?
> >
> >Maybe Endi or Ade have some ideas why the CA isn't recognizing
> >the profile.
> >
> >rob
> >
> 
> Fraser, is it possible the profile is missing from LDAP?
> 
There is a ticket for a situation where migration of profiles to
LDAP does not occur:
https://bugzilla.redhat.com/show_bug.cgi?id=1300252

See also upstream ticket:
https://fedorahosted.org/freeipa/ticket/5682

The fix is awaiting release for RHEL.

A possible workaround is to modify
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg, replacing the value:

    com.netscape.cmscore.profile.LDAPProfileSubsystem

with:

    com.netscape.cmscore.profile.ProfileSubsystem

Then running `ipa-server-upgrade`.  The upgrade program should
observe that LDAP-based profiles are not enabled, re-enable the
LDAPProfileSubsystem and import all file-based profiles into the
database.

If you are able to try this procedure, let me know how it goes.

Cheers,
Fraser

> Timothy, could you provide us with the CA debug logs
> (/var/log/pki/pki-tomcat/ca/debug) and CA configuration file
> (/var/lib/pki/pki-tomcat/ca/conf/CS.cfg)?
> 
> Thanks!
> 
> -- 
> Endi S. Dewata

More information about the Freeipa-users mailing list