Rob, Thank you for replying. I've enable debug and i think this is the relevant portion of the log.
[Sat Jun 10 04:18:58.109402 2017] [:error] [pid 11081] ipa: DEBUG: NSSConnection init freeipa.fakedomain.local [Sat Jun 10 04:18:58.271640 2017] [:error] [pid 11081] ipa: DEBUG: Connecting: 192.168.0.10:0 [Sat Jun 10 04:18:58.281333 2017] [:error] [pid 11081] ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server [Sat Jun 10 04:18:58.281432 2017] [:error] [pid 11081] ipa: DEBUG: cert valid True for "CN=freeipa.fakedomain.local,O=fakedomain.LOCAL" [Sat Jun 10 04:18:58.285331 2017] [:error] [pid 11081] ipa: DEBUG: handshake complete, peer = 192.168.0.10:443 [Sat Jun 10 04:18:58.285406 2017] [:error] [pid 11081] ipa: DEBUG: Protocol: TLS1.2 [Sat Jun 10 04:18:58.285459 2017] [:error] [pid 11081] ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [Sat Jun 10 04:18:58.292610 2017] [:error] [pid 11081] ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server [Sat Jun 10 04:18:58.292691 2017] [:error] [pid 11081] ipa: DEBUG: cert valid True for "CN=freeipa.fakedomain.local,O=fakedomain.LOCAL" [Sat Jun 10 04:18:58.303693 2017] [:error] [pid 11081] ipa: DEBUG: handshake complete, peer = 192.168.0.10:443 [Sat Jun 10 04:18:58.303756 2017] [:error] [pid 11081] ipa: DEBUG: Protocol: TLS1.2 [Sat Jun 10 04:18:58.303803 2017] [:error] [pid 11081] ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [Sat Jun 10 04:18:58.336406 2017] [:error] [pid 11081] ipa: DEBUG: response status 200 [Sat Jun 10 04:18:58.336490 2017] [:error] [pid 11081] ipa: DEBUG: response headers {'date': 'Sat, 10 Jun 2017 02:18:58 GMT', 'content-length': '144', 'content-type': 'application/xml', 'server': 'Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5'} [Sat Jun 10 04:18:58.336544 2017] [:error] [pid 11081] ipa: DEBUG: response body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>String index out of range: -36</Error></XMLResponse>' [Sat Jun 10 04:18:58.336951 2017] [:error] [pid 11081] ipa: DEBUG: parse_profile_submit_result_xml() xml_text: [Sat Jun 10 04:18:58.336958 2017] [:error] [pid 11081] <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>String index out of range: -36</Error></XMLResponse> [Sat Jun 10 04:18:58.336960 2017] [:error] [pid 11081] parse_result: [Sat Jun 10 04:18:58.336962 2017] [:error] [pid 11081] {'error_code': 1, 'error_string': u'String index out of range: -36'} [Sat Jun 10 04:18:58.337049 2017] [:error] [pid 11081] ipa: ERROR: ra.request_certificate(): FAILURE (String index out of range: -36) [Sat Jun 10 04:18:58.385983 2017] [:error] [pid 11081] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Sat Jun 10 04:18:58.386003 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in wsgi_execute [Sat Jun 10 04:18:58.386006 2017] [:error] [pid 11081] result = command(*args, **options) [Sat Jun 10 04:18:58.386008 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ [Sat Jun 10 04:18:58.386009 2017] [:error] [pid 11081] return self.__do_call(*args, **options) [Sat Jun 10 04:18:58.386011 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call [Sat Jun 10 04:18:58.386012 2017] [:error] [pid 11081] ret = self.run(*args, **options) [Sat Jun 10 04:18:58.386014 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run [Sat Jun 10 04:18:58.386015 2017] [:error] [pid 11081] return self.execute(*args, **options) [Sat Jun 10 04:18:58.386017 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 629, in execute [Sat Jun 10 04:18:58.386018 2017] [:error] [pid 11081] csr, profile_id, ca_id, request_type=request_type) [Sat Jun 10 04:18:58.386020 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1612, in request_certificate [Sat Jun 10 04:18:58.386022 2017] [:error] [pid 11081] parse_result.get('error_string')) [Sat Jun 10 04:18:58.386023 2017] [:error] [pid 11081] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1334, in raise_certificate_operation_error [Sat Jun 10 04:18:58.386025 2017] [:error] [pid 11081] raise errors.CertificateOperationError(error=err_msg) [Sat Jun 10 04:18:58.386026 2017] [:error] [pid 11081] CertificateOperationError: Certificate operation cannot be completed: FAILURE (String index out of range: -36) And from /var/log/pki/pki-tomcat/ca/debug in think this is the relevant portion: [10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: Finish parsePKCS10 - CN=vertica1.fakedomain.local [10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: BasicProfile: populate() policy setid =serverCertSet [10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: SubjectNameDefault: populate start java.lang.StringIndexOutOfBoundsException: String index out of range: -36 at java.lang.String.substring(String.java:1967) at com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:128) at com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:804) at com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160) at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:224) at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1101) at com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:1330) at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:362) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:181) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:243) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: ProfileSubmitServlet: error in processing request: java.lang.StringIndexOutOfBoundsException: String index out of range: -36 So it looks to me like something is going wrong with SubjectNameDefault: but now, how do i fix this. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org