On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
Not sure why tomcat is more resilient when launched as root, but the pki seems to work ok at issuing certs after the above and a reboot for good measure.
This sounds like there are broken permissions in the current Ubuntu packages. You should be aware that last time I checked, FreeIPA on Ubuntu was subtly yet severely broken, mostly due to the NSS libs missing PEM support, which will stop your CA from renewing, amongst other things.
Does anyone know what the state of packaging for deb distros is currently? Now that the OpenSSL migration is complete(?), the barriers to functional packages should be removed, but it looks like that only happened in 4.5, and it appears only 4.4 is packaged, which is likely still broken?