Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 675742

Summary: Profile caIPAserviceCert Not Found
Product: [Retired] freeIPA Reporter: Rob Crittenden <rcritten>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.0CC: awnuk, benl, dpal, jgalipea
Target Milestone: v2 release   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.1.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 675789 (view as bug list) Environment:
Last Closed: 2012-03-28 09:26:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 541012, 675789    
Attachments:
Description Flags
caIPAserviceCert.cfg none

Description Rob Crittenden 2011-02-07 15:38:09 UTC 
Description of problem:

I'm unable to generate certificates using the caIPAserviceCert profile:

# ipa cert-request --add --principal=HTTP/panther.example.com panther.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found)

I found a java trace in debug:

[07/Feb/2011:10:28:58][main]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[07/Feb/2011:10:28:58][main]: input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
        at com.netscape.cmscore.base.FileConfigStore.load(FileConfigStore.java:77)
        at com.netscape.cmscore.base.FileConfigStore.<init>(FileConfigStore.java:60)
        at com.netscape.cmscore.apps.CMSEngine.createFileConfigStore(CMSEngine.java:557)
        at com.netscape.certsrv.apps.CMS.createFileConfigStore(CMS.java:1554)
        at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:119)
        at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:94)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[07/Feb/2011:10:28:58][main]: Done Profile Creation - caIPAserviceCert

Version-Release number of selected component (if applicable):

pki-ca-9.0.2-1.fc14.noarch
Comment 1 Rob Crittenden 2011-02-07 15:39:16 UTC 
Created attachment 477436 [details]
caIPAserviceCert.cfg
Comment 2 Andrew Wnuk 2011-02-10 22:38:39 UTC 
IPA installer modifies caIPAserviceCert profile by adding instance specific
names for example:
  policyset.serverCertSet.1.default.params.name=
     CN=$request.req_subject_name.cn$, O=SJC.REDHAT.COM
or
  policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
    https://works4me.sjc.redhat.com/ipa/crl/MasterCRL.bin

Above modification are also causing change of file ownership from 
  -rw-rw----. 1 pkiuser pkiuser  6215 Feb  1 14:04 caIPAserviceCert.cfg
to 
  -rw-rw----. 1 root root  6215 Feb  1 14:04 caIPAserviceCert.cfg

IPA installer after profile update should run command like
 "chown pkiuser:pkiuser caIPAserviceCert.cfg"
to recover original file ownership.

Note that user and group names have to synchronized with parameters used by
pkicreate.

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca          \
          -subsystem_type=ca                 \
          -agent_secure_port=9443            \
          -ee_secure_port=9444               \
          -ee_secure_client_auth_port=9446   \
          -admin_secure_port=9445            \
          -unsecure_port=9180                \
          -tomcat_server_port=9701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca         \
          -redirect logs=/var/log/pki-ca     \
          -verbose
Comment 3 Dmitri Pal 2011-02-11 21:21:23 UTC 
https://fedorahosted.org/freeipa/ticket/928
Comment 4 Dmitri Pal 2011-02-11 21:21:45 UTC 
master: 95b0563817c20bd7d7d82719d8baf8eac2bc9098