On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
Not sure why tomcat is more resilient when launched as root, but the
pki seems to work ok at issuing certs after the above and a reboot for
good measure.
This sounds like there are broken permissions in the current Ubuntu
packages. You should be aware that last time I checked, FreeIPA on
Ubuntu was subtly yet severely broken, mostly due to the NSS libs
missing PEM support, which will stop your CA from renewing, amongst
other things.
Does anyone know what the state of packaging for deb distros is
currently? Now that the OpenSSL migration is complete(?), the barriers
to functional packages should be removed, but it looks like that only
happened in 4.5, and it appears only 4.4 is packaged, which is likely
still broken?