[Freeipa-users] DNS SubjectAltName missing in provisioned certificates
Fraser Tweedale
ftweedal at redhat.com
Thu May 26 23:50:17 UTC 2016
On Thu, May 26, 2016 at 12:08:11PM +0200, Youenn PIOLET wrote:
> Hi there,
>
> For your information :
> I just realised today that the certificate signing using web interface was
> still broken.
>
> I've got 3 caIPAserviceCert.cfg files on my system :
>
> Locate caIPAserviceCert.cfg output
> 1. New profile : /usr/share/ipa/profiles/caIPAserviceCert.cfg
> 2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> 3. Old broken profile :
> /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
> LDAP profile version was not OK, back to the older version of profile. I
> fixed it back.
>
> FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> > which stores profile configuration in LDAP.
> >
>
> I think my Dogtag (in IPA web interface) was still using the files (and
> replacing the LDAP entry after a while? Or did it happen when a added a new
> replica?).
>
Yes - installing a new replica will re-clobber the profile
configuration.
Patches to fix the problem are merged upstream and will make their
way into an upcoming bugfix release.
Thanks,
Fraser
More information about the Freeipa-users
mailing list