[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Unable to get new certificates after upgrade

On 02/27/2016 09:36 PM, Alessandro De Maria wrote:
Hello list,

I was running freeipa 4.1 on Centos 7.1.
I wanted to upgrade to freeipa 4.2.x to make use of user certificates.

Upgrade (through yum upgrade) went ok and I am now on version:
Name        : ipa-server
Version     : 4.2.0
Release     : 15.el7_2.6

However I am unable to generate new certificates (this functionality was
working perfectly before)

When I use ipa-getcert request I get the following message (ipa-getcert
/*Failed request, will retry: 4001 (RPC failed at server.
caIPAserviceCert: Certificate Profile not found
I read this blog:

I tried the following:
$ ipa certprofile-show caIPAserviceCert
ipa: ERROR: caIPAserviceCert: Certificate Profile not found

So i tried to download /*caIPAserviceCert*/ from this url and importing it:

$ wget

$ ipa certprofile-import caIPAserviceCert --file caIPAserviceCert.cfg
--desc "Default certificates" --store TRUE
ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Profile
already exists

So I imported it with another profile name (caIPAserviceCert_new) and
that worked (I can see it from the web interface, but I cannot see
caIPAserviceCert there)

I tried to use:
ipa-getcert request -T caIPAserviceCert_new  ... ... ...

and that still gives the the infamous message above:
/*Failed request, will retry: 4001 (RPC failed at server.
caIPAserviceCert: Certificate Profile not found*/
Could someone help me out please? I noticed that 4.2.3 is out with
important bug fixes, is there a repository out there with Centos rmps?


Alessandro De Maria
alessandro demaria gmail com <mailto:alessandro demaria gmail com>

Hi Alessandro,

you probably hit https://fedorahosted.org/freeipa/ticket/5682: a fix for this issue is underway to the downstream. Meanwhile you can try the following workaround:

1.) open /etc/pki/pki-tomcat/conf/ca/CS.cfg file and locate a line similar to the following:


2.) Replace the "LDAPProfileSubsystem" part of the directive with "ProfileSubsystem".

3.) Run "ipa-server-upgrade" to trigger the addition of profiles to LDAP manually

4.) As directory manager, run
ldapsearch -D 'cn=Directory Manager' -W -b 'ou=CertificateProfiles,ou=ca,o=ipaca' '(objectclass=certProfile)'

You should get a list of profiles with base64-encoded configurations and the certificate requests should work as usual.

Martin^3 Babinsky

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]