[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Wed Mar 30 10:42:31 UTC 2016

On [Tue, 29.03.2016 20:53], Timothy Geier wrote:
>
>> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf <tscherf at redhat.com> wrote:
>>
>> On [Mon, 28.03.2016 18:18], Timothy Geier wrote:
>>>
>>>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf <tscherf at redhat.com> wrote:
>>>>
>>>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote:
>>>>> To follow up on this issue, we haven’t been able to get any further since
>>>>> last month due to the missing caServerCert profile..the configuration
>>>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
>>>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
>>>>> and are identical.   The pki-ca package
>>>>> passes rpm -V as well.   Are there any other troubleshooting steps we can
>>>>> take?
>>>>
>>>> Can you please check if the profile is available in the LDAP trees:
>>>>
>>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix
>>>
>>> dn: cn=certprofiles,cn=ca,$suffix
>>> objectClass: nsContainer
>>> objectClass: top
>>> cn: certprofiles
>>>
>>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca
>>>
>>> dn: ou=certificateProfiles,ou=ca,o=ipaca
>>> objectClass: top
>>> objectClass: organizationalUnit
>>> ou: certificateProfiles
>>>
>>>>
>>>> If this is the case, please check if the profile is accessable by the
>>>> host:
>>>>
>>>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert
>>>>
>>>
>>> ipa: ERROR: caIPAserviceCert: Certificate Profile not found
>>>
>>>> I either suspect that the profiles have not been properly migrated to
>>>> the LDAP tree or that some ACIs are missing to allow access to the
>>>> profiles.
>>>>
>>>
>>> I suspect you’re right..I ran these same commands on a reference system and there was
>>> a lot more output in the ldapsearches and the ipa certprofile-show command came back with
>>> Profile ID: caIPAserviceCert
>>> Profile description: Standard profile for network services
>>> Store issued certificates: TRUE
>>
>> Yes, this is a known issue which has been fixed in the most recent
>> FreeIPA releases 4.2.4 and 4.3.1.
>> I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually.
>>
>
>It’s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported?  

The CentOS and Red Hat updates won't be released before May. The FreeIPA
updates are already available:

http://www.freeipa.org/page/Releases/4.2.4
http://www.freeipa.org/page/Releases/4.3.1

>Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand?

This is only necessary if you want to fix it manually. You don't need to
change it when you apply the updated packages.

Cheers,
Thorsten

>
>Thanks,
>
>> Cheers,
>> Thorsten
>>
>
>
>
>
>
>"This message and any attachments may contain confidential information. If you
>have received this  message in error, any use or distribution is prohibited.
>Please notify us by reply e-mail if you have mistakenly received this message,
>and immediately and permanently delete it and any attachments. Thank you."