Trying to follow and adapt
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... for
issuing a Subordinate CA for a firewall appliance. For user VPN certs and testing SSL
Interception.
When I try to issue the certificate I get the following error:
ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal
host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable
to create enrollment request: Policy Set Not Found
But the certprofile exists and I'm not sure what a `Policy Set` is...
ipa-admin@ipa1:~$ ipa certprofile-show SubCA
Profile ID: SubCA
Profile description: Subordinate CA
Store issued certificates: True
ipa-admin@ipa1:~$ ipa caacl-show SubCA
ACL name: SubCA
Description: Subordinate CA
Enabled: True
Service category: all
CAs: ipa
Profiles: SubCA
Users: ipa-admin
Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local
# /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no profile
policy set found
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create enrollment
request: Policy Set Not Found
# /var/log/httpd/error_log
[Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] [remote
192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] ipa-admin(a)IPA.LOCAL:
cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\*********************=\\n-----END
CERTIFICATE REQUEST-----\\n', profile_id='SubCA',
principal='host/subca-fw01.domain.local', version='2.245'):
HTTPRequestError
Please ignore the different timestamps, they're various attempts all with the same log
messages.