| Summary: | Profile caIPAserviceCert Not Found | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Rob Crittenden <rcritten> | ||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.0 | CC: | awnuk, benl, dpal, jgalipea | ||||
| Target Milestone: | v2 release | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | freeipa-2.1.0-1.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 675789 (view as bug list) | Environment: | |||||
| Last Closed: | 2012-03-28 09:26:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 541012, 675789 | ||||||
| Attachments: |
|
||||||
Created attachment 477436 [details]
caIPAserviceCert.cfg
IPA installer modifies caIPAserviceCert profile by adding instance specific
names for example:
policyset.serverCertSet.1.default.params.name=
CN=$request.req_subject_name.cn$, O=SJC.REDHAT.COM
or
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
https://works4me.sjc.redhat.com/ipa/crl/MasterCRL.bin
Above modification are also causing change of file ownership from
-rw-rw----. 1 pkiuser pkiuser 6215 Feb 1 14:04 caIPAserviceCert.cfg
to
-rw-rw----. 1 root root 6215 Feb 1 14:04 caIPAserviceCert.cfg
IPA installer after profile update should run command like
"chown pkiuser:pkiuser caIPAserviceCert.cfg"
to recover original file ownership.
Note that user and group names have to synchronized with parameters used by
pkicreate.
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca \
-subsystem_type=ca \
-agent_secure_port=9443 \
-ee_secure_port=9444 \
-ee_secure_client_auth_port=9446 \
-admin_secure_port=9445 \
-unsecure_port=9180 \
-tomcat_server_port=9701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca \
-redirect logs=/var/log/pki-ca \
-verbose
master: 95b0563817c20bd7d7d82719d8baf8eac2bc9098 |
Description of problem: I'm unable to generate certificates using the caIPAserviceCert profile: # ipa cert-request --add --principal=HTTP/panther.example.com panther.csr ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found) I found a java trace in debug: [07/Feb/2011:10:28:58][main]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [07/Feb/2011:10:28:58][main]: input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg at com.netscape.cmscore.base.FileConfigStore.load(FileConfigStore.java:77) at com.netscape.cmscore.base.FileConfigStore.<init>(FileConfigStore.java:60) at com.netscape.cmscore.apps.CMSEngine.createFileConfigStore(CMSEngine.java:557) at com.netscape.certsrv.apps.CMS.createFileConfigStore(CMS.java:1554) at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:119) at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:94) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:581) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [07/Feb/2011:10:28:58][main]: Done Profile Creation - caIPAserviceCert Version-Release number of selected component (if applicable): pki-ca-9.0.2-1.fc14.noarch