[Freeipa-users] certificates not renewing CA_UNREACHEABLE

Thu, 15 Sep 2016 02:35:11 -0700 

hi,

one of our master servers has a problem with its certificates:

# getcert list

Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 907 (RPC failed at
server.  cannot connect to '
https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY)
NSS could not shutdown. Objects are still in use.).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
UNIX-IRISZORG-NL
        track: yes
        auto-renew: yes
Request ID '20121107212532':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:25 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20121107212548':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes


Where should I start looking?

In /var/log/httpd/error_log there is nothing of consquence.

-- 
--
Groeten,
natxo

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to