Hello,
This is already logged here, and will be fixed soon.


On Sun, Mar 21, 2021 at 2:45 PM Antoine Gatineau via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,

So I'm trying out the new acme feature in freeipa version 4.9.0-1.module_el8.4.0+639+a88aab78 from CentOS Stream 8.

My setup is a rebuild from replica (fresh install on centos stream as a replica of a centos 8 non-stream existing replica).

I enabled acme using "sudo ipa-acme-manage enable"

From an ipa-client, I can successfully perform a certbot register. But certbot certonly --standalone etc... fails with the error :
2021-03-21 09:54:07,083:DEBUG:acme.client:Received response:
HTTP 500
Date: Sun, 21 Mar 2021 08:54:05 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g mod_auth_gssapi/1.6.1 mod_wsgi/4.6.4 Python/3.6
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 6750
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-
color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-
color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b>
com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for acmeIPAServerCert: Profile not found</p><p><b>Description</b> The server encountered an unexpected condition that
prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for
acmeIPAServerCert: Profile not found
        org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
        org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
        org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        java.security.AccessController.doPrivileged(Native Method)
        org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Root Cause</b></p><pre>com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for acmeIPAServerCert: Profile not found
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:135)
        com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:143)
        com.netscape.certsrv.ca.CACertClient.getEnrollmentTemplate(CACertClient.java:167)
        org.dogtagpki.acme.issuer.PKIIssuer.issueCertificate(PKIIssuer.java:148)
        org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST(ACMEFinalizeOrderService.java:91)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        java.security.AccessController.doPrivileged(Native Method)
        org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>
2021-03-21 09:54:07,084:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 927, in finalize_order
    return self.client.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 754, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 96, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1204, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1218, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1079, in _check_response
    raise errors.ClientError(response)
acme.errors.ClientError: <Response [500]>
2021-03-21 09:54:07,084:ERROR:certbot.log:An unexpected error occurred:

From what I gathered pki-server should use the profile defined in freeipa right?
$ sudo ls -l /usr/share/ipa/profiles/acmeIPAServerCert.cfg
-rw-r--r--. 1 root root 6707 Dec 23 15:38 /usr/share/ipa/profiles/acmeIPAServerCert.cfg

What's the best way to fix the configuration?
Is it best to open a bug for this? I know centos stream is not yet up to date, so it's maybe already fixed.

Thanks


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


--

--

Regards

Mohammad Rizwan Shaikh

He/Him/His

Senior Software Quality Engineer

Red Hat Pune

myusuf@redhat.com   
M: +91-9823948657     IM: rizwan