Sam Morris via FreeIPA-users wrote: > On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: >> I've got an IPA client on which certmonger is unable to renew a >> certificate. >> >> Here are the log messages from certmonger... >> >> 2023-06-20 08:24:49 [622035] Certificate submission attempt >> complete. >> 2023-06-20 08:24:49 [622035] Child status = 2. >> 2023-06-20 08:24:49 [622035] Child output: >> "Server at https://ipa5.ipa.example.com/ipa/json denied our >> request, giving up: 2100 (Insufficient access: SASL(-1): generic >> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Credential cache is > >> " >> 2023-06-20 08:24:49 [622035] Server at >> https://ipa5.ipa.example.com/ipa/json denied our request, giving up: >> 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more infor> >> > Today I restarted certmonger (in order to increase its debug level) and > the newly-started instance immediately resubmitted its request and was > issued with a new certificate. So I guess the problem was on the client > after all. >
How old is certmonger? There was a file descriptor leak issue fixed within the last couple of years that would cause a problem like that IIRC. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue