pki-core 10.9 uses different location to store LDAP schema for ACME service. As a result, FreeIPA 4.9.0 fails provisioning the LDAP schema for ACME:
[24/28]: importing IPA certificate profiles [25/28]: adding default CA ACL [26/28]: adding 'ipa' CA entry [27/28]: configuring certmonger renewal for lightweight CAs [28/28]: deploying ACME service Failed to load /usr/share/pki/acme/database/ds/schema.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n') [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n') CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information # rpm -qf /usr/share/pki/acme/database/ldap/schema.ldif pki-server-10.9.4-1.module_el8.3.0+500+458aeb54.noarch # rpm -q ipa-server ipa-server-4.9.0-0.5.rc3.module_el8.4.0+591+30f359c9.x86_64
Metadata Update from @abbra: - Issue assigned to abbra
PR: https://github.com/freeipa/freeipa/pull/5386
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1913089
Issue linked to Bugzilla: Bug 1913089
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.
Login to comment on this ticket.