[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Chris Evich
cevich at redhat.com
Sun May 6 01:08:48 UTC 2012
On 05/05/2012 08:01 PM, Chris Evich wrote:
> On 05/04/2012 04:17 PM, Chris Evich wrote:
> That makes me think maybe there's just a missing service principal or
> something I can add? I'll see if I can remove that request and try
> running ipa-replica-prepare again to see if it still gives that error
> (systems have been restarted since then). Though any other
> suggestions/ideas of what I can try or look at are much appreciated.
> Thanks.
>
Replying to myself again, bad-form, but maybe it'll help someone else if
they have a similar problem....
I found the 20120504213228 request (from previous mail) sitting on the
replica machine in /etc/pki/nssdb and was able to nuke it with
certutil.Running ipa-replica-prepare however gave same failure. I'm
assuming that came from when I did an ipa-client install on the replica
box recently.
Playing more to see if I could coax out more info, I tried running 'ipa
cert-request' from what I want to be my replica machine:
[root@<replica> certs]# ipa cert-request --principal=imap/<replica
fqdn>@<domain> dovecot.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile
caIPAserviceCert Not Found)
At the same time, I had a tailf running on the master's
/var/log/pki-ca/debug and this is what came out:
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet:service() uri =
//ca/eeca/ca/profileSubmitSSLClient
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param
name='cert_request_type' value='pkcs10'
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param
name='cert_request' value='-----BEGIN CERTIFICATE REQUEST-----
MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu
...blah blah blah...
z2ZS4bG7jleB0zm1rN3b5TY=
-----END CERTIFICATE REQUEST-----'
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param
name='xml' value='true'
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param
name='profileId' value='caIPAserviceCert'
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet:
caProfileSubmitSSLClient start to service.
[05/May/2012:20:51:55][TP-Processor2]: xmlOutput true
[05/May/2012:20:51:55][TP-Processor2]: Start of ProfileSubmitServlet
Input Parameters
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input
Parameter cert_request_type='pkcs10'
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input
Parameter cert_request='-----BEGIN CERTIFICATE REQUEST-----
MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu
...blah blah blah...
z2ZS4bG7jleB0zm1rN3b5TY=
-----END CERTIFICATE REQUEST-----'
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input
Parameter xml='true'
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input
Parameter profileId='caIPAserviceCert'
[05/May/2012:20:51:55][TP-Processor2]: End of ProfileSubmitServlet Input
Parameters
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: start serving
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: SubId=profile
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: isRenewal false
[05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: profileId
caIPAserviceCert
[05/May/2012:20:51:55][TP-Processor2]: CMSServlet: curDate=Sat May 05
20:51:55 EDT 2012 id=caProfileSubmitSSLClient time=12
I'm guessing there's something going on with this 'caIPAserviceCert'
thing. Granted I didn't try requesting any certs prior to the update,
however I can click the 'view' button in the web UI on some service
certs from the install, so it was generating them at some point.
More information about the Freeipa-users
mailing list