Bug 675742

Summary: Profile caIPAserviceCert Not Found
Product: [Retired] freeIPA Reporter: Rob Crittenden <rcritten>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.0CC: awnuk, benl, dpal, jgalipea
Target Milestone: v2 release   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.1.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 675789 (view as bug list) Environment:
Last Closed: 2012-03-28 09:26:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 541012, 675789    
Attachments:
Description Flags
caIPAserviceCert.cfg none

Description Rob Crittenden 2011-02-07 15:38:09 UTC
Description of problem:

I'm unable to generate certificates using the caIPAserviceCert profile:

# ipa cert-request --add --principal=HTTP/panther.example.com panther.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found)

I found a java trace in debug:

[07/Feb/2011:10:28:58][main]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[07/Feb/2011:10:28:58][main]: input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
        at com.netscape.cmscore.base.FileConfigStore.load(FileConfigStore.java:77)
        at com.netscape.cmscore.base.FileConfigStore.<init>(FileConfigStore.java:60)
        at com.netscape.cmscore.apps.CMSEngine.createFileConfigStore(CMSEngine.java:557)
        at com.netscape.certsrv.apps.CMS.createFileConfigStore(CMS.java:1554)
        at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:119)
        at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:94)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[07/Feb/2011:10:28:58][main]: Done Profile Creation - caIPAserviceCert

Version-Release number of selected component (if applicable):

pki-ca-9.0.2-1.fc14.noarch

Comment 1 Rob Crittenden 2011-02-07 15:39:16 UTC
Created attachment 477436 [details]
caIPAserviceCert.cfg

Comment 2 Andrew Wnuk 2011-02-10 22:38:39 UTC
IPA installer modifies caIPAserviceCert profile by adding instance specific
names for example:
  policyset.serverCertSet.1.default.params.name=
     CN=$request.req_subject_name.cn$, O=SJC.REDHAT.COM
or
  policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
    https://works4me.sjc.redhat.com/ipa/crl/MasterCRL.bin

Above modification are also causing change of file ownership from 
  -rw-rw----. 1 pkiuser pkiuser  6215 Feb  1 14:04 caIPAserviceCert.cfg
to 
  -rw-rw----. 1 root root  6215 Feb  1 14:04 caIPAserviceCert.cfg

IPA installer after profile update should run command like
 "chown pkiuser:pkiuser caIPAserviceCert.cfg"
to recover original file ownership.

Note that user and group names have to synchronized with parameters used by
pkicreate.

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca          \
          -subsystem_type=ca                 \
          -agent_secure_port=9443            \
          -ee_secure_port=9444               \
          -ee_secure_client_auth_port=9446   \
          -admin_secure_port=9445            \
          -unsecure_port=9180                \
          -tomcat_server_port=9701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca         \
          -redirect logs=/var/log/pki-ca     \
          -verbose

Comment 3 Dmitri Pal 2011-02-11 21:21:23 UTC
https://fedorahosted.org/freeipa/ticket/928

Comment 4 Dmitri Pal 2011-02-11 21:21:45 UTC
master: 95b0563817c20bd7d7d82719d8baf8eac2bc9098