On Sun, Jun 11, 2017 at 12:46:31AM -0000, jochem--- via FreeIPA-users wrote:
Hello all,
I finally got something working, and found something of a cause.
I replaced
policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$,
$SUBJECT_DN_O
with
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
o=FAKEDOMAIN.LOCAL
imported the new profile, the error was gone and the certificate issued.
Some further investigation showed me it wasn't just right yet. I examed the
certificate and found this (removed the other parts of the certificate:
Authority Information Access:
OCSP - URI:http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
Full Name:
URI:http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
So somehow the variables are not being processed. For now i just put the domain name in
the profile and it is working.
Does anyone have any idea why this is (not) happening? And how to fix it? For now it is
working but i would like the original profile working again.
Best regards,
Jochem Kuijpers
You are very close to hitting on the solution.
It looks like you have taken the profile configuration directly from
/usr/share/ipa/profiles/. These are not ready-to-go profiles;
rather they are profile TEMPLATES containing variable substitutions
for FreeIPA to perform, before the profile gets loaded into Dogtag.
The '$$' is for a literal '$', and the '$IPA_CA_RECORD',
'$DOMAIN',
'$SUBJECT_DN_O' and so on, are the variable substitutions that IPA
performs. So from here, you should perform those substitutions
yourself, including the '$$' -> '$'.
When you modify a profile it is recommended to use `ipa
certprofile-show --out FILENAME` to export the current profile
configuration from Dogtag, then edit that and update the profile via
`ipa certprofile-mod`.
HTH,
Fraser