675742 – Profile caIPAserviceCert Not Found

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 675742 - Profile caIPAserviceCert Not Found

Summary: Profile caIPAserviceCert Not Found

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	v2 release
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	dogtagIPAv2 675789
TreeView+	depends on / blocked

Reported:	2011-02-07 15:38 UTC by Rob Crittenden
Modified:	2015-01-04 23:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:	freeipa-2.1.0-1.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	675789 (view as bug list)
Environment:
Last Closed:	2012-03-28 09:26:56 UTC
Embargoed:

Attachments	(Terms of Use)
caIPAserviceCert.cfg (deleted) 2011-02-07 15:39 UTC, Rob Crittenden	no flags	Details
View All

Description Rob Crittenden 2011-02-07 15:38:09 UTC

Description of problem:

I'm unable to generate certificates using the caIPAserviceCert profile:

# ipa cert-request --add --principal=HTTP/panther.example.com panther.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found)

I found a java trace in debug:

[07/Feb/2011:10:28:58][main]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[07/Feb/2011:10:28:58][main]: input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
        at com.netscape.cmscore.base.FileConfigStore.load(FileConfigStore.java:77)
        at com.netscape.cmscore.base.FileConfigStore.<init>(FileConfigStore.java:60)
        at com.netscape.cmscore.apps.CMSEngine.createFileConfigStore(CMSEngine.java:557)
        at com.netscape.certsrv.apps.CMS.createFileConfigStore(CMS.java:1554)
        at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:119)
        at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:94)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[07/Feb/2011:10:28:58][main]: Done Profile Creation - caIPAserviceCert

Version-Release number of selected component (if applicable):

pki-ca-9.0.2-1.fc14.noarch

Comment 1 Rob Crittenden 2011-02-07 15:39:16 UTC

Created attachment 477436 [details]
caIPAserviceCert.cfg

Comment 2 Andrew Wnuk 2011-02-10 22:38:39 UTC

IPA installer modifies caIPAserviceCert profile by adding instance specific
names for example:
  policyset.serverCertSet.1.default.params.name=
     CN=$request.req_subject_name.cn$, O=SJC.REDHAT.COM
or
  policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
    https://works4me.sjc.redhat.com/ipa/crl/MasterCRL.bin

Above modification are also causing change of file ownership from 
  -rw-rw----. 1 pkiuser pkiuser  6215 Feb  1 14:04 caIPAserviceCert.cfg
to 
  -rw-rw----. 1 root root  6215 Feb  1 14:04 caIPAserviceCert.cfg

IPA installer after profile update should run command like
 "chown pkiuser:pkiuser caIPAserviceCert.cfg"
to recover original file ownership.

Note that user and group names have to synchronized with parameters used by
pkicreate.

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca          \
          -subsystem_type=ca                 \
          -agent_secure_port=9443            \
          -ee_secure_port=9444               \
          -ee_secure_client_auth_port=9446   \
          -admin_secure_port=9445            \
          -unsecure_port=9180                \
          -tomcat_server_port=9701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca         \
          -redirect logs=/var/log/pki-ca     \
          -verbose

Comment 3 Dmitri Pal 2011-02-11 21:21:23 UTC

https://fedorahosted.org/freeipa/ticket/928

Comment 4 Dmitri Pal 2011-02-11 21:21:45 UTC

master: 95b0563817c20bd7d7d82719d8baf8eac2bc9098

Note You need to log in before you can comment on or make changes to this bug.