Sam Morris via FreeIPA-users wrote: > On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote: >> Sam Morris via FreeIPA-users wrote: >>> On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: >>>> I've got an IPA client on which certmonger is unable to renew a >>>> certificate. >>>> >>>> Here are the log messages from certmonger... >>>> >>>> 2023-06-20 08:24:49 [622035] Certificate submission attempt >>>> complete. >>>> 2023-06-20 08:24:49 [622035] Child status = 2. >>>> 2023-06-20 08:24:49 [622035] Child output: >>>> "Server at https://ipa5.ipa.example.com/ipa/json denied our >>>> request, giving up: 2100 (Insufficient access: SASL(-1): generic >>>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>>> provide more information (Credential cache is > >>>> " >>>> 2023-06-20 08:24:49 [622035] Server at >>>> https://ipa5.ipa.example.com/ipa/json denied our request, giving up: >>>> 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: >>>> Unspecified GSS failure. Minor code may provide more infor> >>>> >>> Today I restarted certmonger (in order to increase its debug level) and >>> the newly-started instance immediately resubmitted its request and was >>> issued with a new certificate. So I guess the problem was on the client >>> after all. >> >> How old is certmonger? There was a file descriptor leak issue fixed >> within the last couple of years that would cause a problem like that >> IIRC. > > Thanks Rob > > This was with certmonger-0.79.17-2.el8.x86_64 > > I didn't check to see how many open fds the process had before > restarting it. The machine it was running on had been up for a couple of > weeks at the time this happened.
Ok, well the fix was done well before that. I suppose it could be another resource leak or simply unrelated but similar behavior. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue