[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

[Sam Morris via FreeIPA-users]

On 21/06/2023 09:02, Sam Morris via FreeIPA-users wrote:

On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:

I've got an IPA client on which certmonger is unable to renew a
certificate.

Here are the log messages from certmonger...

 2023-06-20 08:24:49 [622035] Certificate submission attempt 
complete.

 2023-06-20 08:24:49 [622035] Child status = 2.
 2023-06-20 08:24:49 [622035] Child output:
 "Server at https://ipa5.ipa.example.com/ipa/json denied our 
request, giving up: 2100 (Insufficient access: SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may 
provide more information (Credential cache is >

 "
 2023-06-20 08:24:49 [622035] Server at 
https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 
2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more infor>


Today I restarted certmonger (in order to increase its debug level) and 
the newly-started instance immediately resubmitted its request and was 
issued with a new certificate. So I guess the problem was on the client 
after all.


(Posting to complete the thread)

With hindsight this must be the same issue I reported a couple of months 
later, 
, 
which was ultimately fixed in .


--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

[Rob Crittenden via FreeIPA-users]

Sam Morris via FreeIPA-users wrote:
> On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote:
>> Sam Morris via FreeIPA-users wrote:
>>> On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:
 I've got an IPA client on which certmonger is unable to renew a
 certificate.

 Here are the log messages from certmonger...

   2023-06-20 08:24:49 [622035] Certificate submission attempt
 complete.
   2023-06-20 08:24:49 [622035] Child status = 2.
   2023-06-20 08:24:49 [622035] Child output:
   "Server at https://ipa5.ipa.example.com/ipa/json denied our
 request, giving up: 2100 (Insufficient access: SASL(-1): generic
 failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
 provide more information (Credential cache is >
   "
   2023-06-20 08:24:49 [622035] Server at
 https://ipa5.ipa.example.com/ipa/json denied our request, giving up:
 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error:
 Unspecified GSS failure.  Minor code may provide more infor>

>>> Today I restarted certmonger (in order to increase its debug level) and
>>> the newly-started instance immediately resubmitted its request and was
>>> issued with a new certificate. So I guess the problem was on the client
>>> after all.
>>
>> How old is certmonger? There was a file descriptor leak issue fixed
>> within the last couple of years that would cause a problem like that
>> IIRC.
> 
> Thanks Rob
> 
> This was with certmonger-0.79.17-2.el8.x86_64
> 
> I didn't check to see how many open fds the process had before
> restarting it. The machine it was running on had been up for a couple of
> weeks at the time this happened.

Ok, well the fix was done well before that. I suppose it could be
another resource leak or simply unrelated but similar behavior.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

[Sam Morris via FreeIPA-users]

On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote:

Sam Morris via FreeIPA-users wrote:

On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:

I've got an IPA client on which certmonger is unable to renew a
certificate.

Here are the log messages from certmonger...

  2023-06-20 08:24:49 [622035] Certificate submission attempt
complete.
  2023-06-20 08:24:49 [622035] Child status = 2.
  2023-06-20 08:24:49 [622035] Child output:
  "Server at https://ipa5.ipa.example.com/ipa/json denied our
request, giving up: 2100 (Insufficient access: SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (Credential cache is >
  "
  2023-06-20 08:24:49 [622035] Server at
https://ipa5.ipa.example.com/ipa/json denied our request, giving up:
2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more infor>


Today I restarted certmonger (in order to increase its debug level) and
the newly-started instance immediately resubmitted its request and was
issued with a new certificate. So I guess the problem was on the client
after all.


How old is certmonger? There was a file descriptor leak issue fixed
within the last couple of years that would cause a problem like that IIRC.


Thanks Rob

This was with certmonger-0.79.17-2.el8.x86_64

I didn't check to see how many open fds the process had before 
restarting it. The machine it was running on had been up for a couple of 
weeks at the time this happened.



--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

[Rob Crittenden via FreeIPA-users]

Sam Morris via FreeIPA-users wrote:
> On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:
>> I've got an IPA client on which certmonger is unable to renew a
>> certificate.
>>
>> Here are the log messages from certmonger...
>>
>>  2023-06-20 08:24:49 [622035] Certificate submission attempt
>> complete.
>>  2023-06-20 08:24:49 [622035] Child status = 2.
>>  2023-06-20 08:24:49 [622035] Child output:
>>  "Server at https://ipa5.ipa.example.com/ipa/json denied our
>> request, giving up: 2100 (Insufficient access: SASL(-1): generic
>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>> provide more information (Credential cache is >
>>  "
>>  2023-06-20 08:24:49 [622035] Server at
>> https://ipa5.ipa.example.com/ipa/json denied our request, giving up:
>> 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more infor>
>>
> Today I restarted certmonger (in order to increase its debug level) and
> the newly-started instance immediately resubmitted its request and was
> issued with a new certificate. So I guess the problem was on the client
> after all.
> 

How old is certmonger? There was a file descriptor leak issue fixed
within the last couple of years that would cause a problem like that IIRC.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

[Sam Morris via FreeIPA-users]

On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:

I've got an IPA client on which certmonger is unable to renew a
certificate.

Here are the log messages from certmonger...

 2023-06-20 08:24:49 [622035] Certificate submission attempt complete.
 2023-06-20 08:24:49 [622035] Child status = 2.
 2023-06-20 08:24:49 [622035] Child output:
 "Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving 
up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (Credential cache is >
 "
 2023-06-20 08:24:49 [622035] Server at https://ipa5.ipa.example.com/ipa/json 
denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
infor>

Today I restarted certmonger (in order to increase its debug level) and 
the newly-started instance immediately resubmitted its request and was 
issued with a new certificate. So I guess the problem was on the client 
after all.


--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue