On Tue, May 02, 2023 at 12:40:55AM -0000, Djerk Geurts via FreeIPA-users wrote:
Trying to follow and adapt
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... for
issuing a Subordinate CA for a firewall appliance. For user VPN certs and testing SSL
Interception.
When I try to issue the certificate I get the following error:
ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal
host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500.
Unable to create enrollment request: Policy Set Not Found
The policy set is part of the profile configuration, so this error
suggests an error in the profile configuration. Have a look at the
raw profile configuration:
ipa certprofile-show --out SubCA.cfg SubCA
If you can't figure it out, please share the raw profile
configuration here as the next step.
Thanks,
Fraser
But the certprofile exists and I'm not sure what a `Policy Set`
is...
ipa-admin@ipa1:~$ ipa certprofile-show SubCA
Profile ID: SubCA
Profile description: Subordinate CA
Store issued certificates: True
ipa-admin@ipa1:~$ ipa caacl-show SubCA
ACL name: SubCA
Description: Subordinate CA
Enabled: True
Service category: all
CAs: ipa
Profiles: SubCA
Users: ipa-admin
Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local
# /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no profile
policy set found
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create enrollment
request: Policy Set Not Found
# /var/log/httpd/error_log
[Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] [remote
192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] ipa-admin(a)IPA.LOCAL:
cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\*********************=\\n-----END
CERTIFICATE REQUEST-----\\n', profile_id='SubCA',
principal='host/subca-fw01.domain.local', version='2.245'):
HTTPRequestError
Please ignore the different timestamps, they're various attempts all with the same
log messages.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue