[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier tgeier at accertify.com
Tue Mar 29 20:53:50 UTC 2016 

> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <tscherf at redhat.com> wrote:
> 
> On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
>> 
>>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tscherf at redhat.com> wrote:
>>> 
>>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
>>>> To follow up on this issue, we haven’t been able to get any further since
>>>> last month due to the missing caServerCert profile..the configuration
>>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
>>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
>>>> and are identical.   The pki-ca package
>>>> passes rpm -V as well.   Are there any other troubleshooting steps we can
>>>> take?
>>> 
>>> Can you please check if the profile is available in the LDAP trees:
>>> 
>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
>> 
>> dn: cn=certprofiles,cn=ca,$suffix
>> objectClass: nsContainer
>> objectClass: top
>> cn: certprofiles
>> 
>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
>> 
>> dn: ou=certificateProfiles,ou=ca,o=ipaca
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: certificateProfiles
>> 
>>> 
>>> If this is the case, please check if the profile is accessable by the
>>> host:
>>> 
>>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
>>> 
>> 
>> ipa: ERROR: caIPAserviceCert: Certificate Profile not found
>> 
>>> I either suspect that the profiles have not been properly migrated to
>>> the LDAP tree or that some ACIs are missing to allow access to the
>>> profiles.
>>> 
>> 
>> I suspect you’re right..I ran these same commands on a reference system and there was
>> a lot more output in the ldapsearches and the ipa certprofile-show command came back with
>> Profile ID: caIPAserviceCert
>> Profile description: Standard profile for network services
>> Store issued certificates: TRUE
> 
> Yes, this is a known issue which has been fixed in the most recent
> FreeIPA releases 4.2.4 and 4.3.1. 
> I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually.
> 

It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported?  Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand?

Thanks,

> Cheers,
> Thorsten
> 





"This message and any attachments may contain confidential information. If you
have received this  message in error, any use or distribution is prohibited. 
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."

More information about the Freeipa-users mailing list