dn: cn=acmeIPAServerCert,cn=certprofiles,cn=ca,dc=ipa,dc=test
objectClass: ipacertprofile
objectClass: top
cn: acmeIPAServerCert
description: ACME IPA service certificate profile
ipaCertProfileStoreIssued: FALSE
On Fri, May 12, 2023 at 03:46:46PM -0000, Nicholas Cross via FreeIPA-users wrote:
We found that we have a cert profile that was deleted in the ui
and then we attempted to re-create it, but it will not.
ipa: ERROR: Request failed with status 409: Non-2xx response from
CA REST API: 409. Unable to create profile: Profile already exists
The profile does not show in the UI or via the CLI
$ ipa certprofile-find controlServersKubeAPIClustertest1
<blank>
$ ipa certprofile-show controlServersKubeAPIClustertest1
<blank>
But when checking ldap itself we can see it.
$ ldapsearch -LLL -o ldif-wrap=no -w $pass -D 'cn=Directory Manager' -b
'o=ipaca' | grep controlServersKubeAPIClustertest1
dn: cn=controlServersKubeAPIClustertest1,ou=certificateProfiles,ou=ca,o=ipaca
cn: controlServersKubeAPIClustertest1
extdata-profileid: controlServersKubeAPIClustertest1
metaInfo: profileId:controlServersKubeAPIClustertest1
extdata-profileid: controlServersKubeAPIClustertest1
metaInfo: profileId:controlServersKubeAPIClustertest1
extdata-profileid: controlServersKubeAPIClustertest1
metaInfo: profileId:controlServersKubeAPIClustertest1
extdata-profileid: controlServersKubeAPIClustertest1
metaInfo: profileId:controlServersKubeAPIClustertest1
extdata-profileid: controlServersKubeAPIClustertest1
metaInfo: profileId:controlServersKubeAPIClustertest1
Apart from doing an ldapdelete on that dn: , is there a better way
to clean up that "ghost" cert profile? (and the corresponding
certs?)
thanks,
Nick
Hi Nick,
There is a concept of "IPA-owned" profiles. IPA-owned profiles have
a proxy entry in the IPA LDAP subtree corresponding to the Dogtag
profile config entry (in the o=ipaca subtree).
In your case, it looks like somehow the IPA entry got deleted
without deleting the Dogtag entry. You can manually create an entry
to restore it:
dn: cn=controlServersKubeAPIClustertest1,cn=certprofiles,cn=ca,dc=ipa,dc=test
objectClass: ipacertprofile
objectClass: top
cn: controlServersKubeAPIClustertest1
description: DESCRIPTION GOES HERE
ipaCertProfileStoreIssued: FALSE # or TRUE; whatever is appropriate
If this issue - profile removal removal via IPA WebUI (or `ipa' CLI)
does not remove Dogtag profile config entry - is reproducible,
please file an issue at
https://pagure.io/freeipa/issues.
Thanks,
Fraser