[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Timothy Geier
tgeier at accertify.com
Tue Mar 29 20:53:50 UTC 2016
> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <tscherf at redhat.com> wrote:
>
> On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
>>
>>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tscherf at redhat.com> wrote:
>>>
>>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
>>>> To follow up on this issue, we haven’t been able to get any further since
>>>> last month due to the missing caServerCert profile..the configuration
>>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
>>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
>>>> and are identical. The pki-ca package
>>>> passes rpm -V as well. Are there any other troubleshooting steps we can
>>>> take?
>>>
>>> Can you please check if the profile is available in the LDAP trees:
>>>
>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
>>
>> dn: cn=certprofiles,cn=ca,$suffix
>> objectClass: nsContainer
>> objectClass: top
>> cn: certprofiles
>>
>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
>>
>> dn: ou=certificateProfiles,ou=ca,o=ipaca
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: certificateProfiles
>>
>>>
>>> If this is the case, please check if the profile is accessable by the
>>> host:
>>>
>>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
>>>
>>
>> ipa: ERROR: caIPAserviceCert: Certificate Profile not found
>>
>>> I either suspect that the profiles have not been properly migrated to
>>> the LDAP tree or that some ACIs are missing to allow access to the
>>> profiles.
>>>
>>
>> I suspect you’re right..I ran these same commands on a reference system and there was
>> a lot more output in the ldapsearches and the ipa certprofile-show command came back with
>> Profile ID: caIPAserviceCert
>> Profile description: Standard profile for network services
>> Store issued certificates: TRUE
>
> Yes, this is a known issue which has been fixed in the most recent
> FreeIPA releases 4.2.4 and 4.3.1.
> I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually.
>
It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported? Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand?
Thanks,
> Cheers,
> Thorsten
>
"This message and any attachments may contain confidential information. If you
have received this message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
More information about the Freeipa-users
mailing list