[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Thorsten Scherf
tscherf at redhat.com
Tue Mar 29 07:00:20 UTC 2016
On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
>
>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tscherf at redhat.com> wrote:
>>
>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
>>> To follow up on this issue, we haven’t been able to get any further since
>>> last month due to the missing caServerCert profile..the configuration
>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
>>> and are identical. The pki-ca package
>>> passes rpm -V as well. Are there any other troubleshooting steps we can
>>> take?
>>
>> Can you please check if the profile is available in the LDAP trees:
>>
>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
>
>dn: cn=certprofiles,cn=ca,$suffix
>objectClass: nsContainer
>objectClass: top
>cn: certprofiles
>
>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
>
>dn: ou=certificateProfiles,ou=ca,o=ipaca
>objectClass: top
>objectClass: organizationalUnit
>ou: certificateProfiles
>
>>
>> If this is the case, please check if the profile is accessable by the
>> host:
>>
>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
>>
>
>ipa: ERROR: caIPAserviceCert: Certificate Profile not found
>
>> I either suspect that the profiles have not been properly migrated to
>> the LDAP tree or that some ACIs are missing to allow access to the
>> profiles.
>>
>
>I suspect you’re right..I ran these same commands on a reference system and there was
>a lot more output in the ldapsearches and the ipa certprofile-show command came back with
> Profile ID: caIPAserviceCert
> Profile description: Standard profile for network services
> Store issued certificates: TRUE
Yes, this is a known issue which has been fixed in the most recent
FreeIPA releases 4.2.4 and 4.3.1.
I would recommend to upgrade your system to one of those releases. If this
is not feasible, I can send you instructions how to fix the issue manually.
Cheers,
Thorsten
More information about the Freeipa-users
mailing list