<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 15.09.2016 11:29, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzUpGvt1sbhJpWhP+NsERe3ZvU8M3L_tCLoS8817rQhmWQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>hi,<br>
<br>
</div>
one of our master servers has a problem with its certificates:<br>
<br>
</div>
# getcert list<br>
<div>
<div>
<div><br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20121107212513':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: 907
(RPC failed at server. cannot connect to '<a
moz-do-not-send="true"
href="https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke">https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke</a>':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still
in use.).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
subject: CN=<a moz-do-not-send="true"
href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
expires: 2016-10-12 10:49:24 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command:
/usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20121107212532':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: 4301
(RPC failed at server. Certificate operation cannot be
completed: Failure decoding Certificate Signing Request).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
subject: CN=<a moz-do-not-send="true"
href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
expires: 2016-10-12 10:49:25 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20121107212548':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: 4301
(RPC failed at server. Certificate operation cannot be
completed: Failure decoding Certificate Signing Request).<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
subject: CN=<a moz-do-not-send="true"
href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
expires: 2016-10-12 10:49:24 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command:
/usr/lib/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
<br>
<br>
</div>
<div>Where should I start looking?<br>
<br>
</div>
<div>In /var/log/httpd/error_log there is nothing of
consquence.<br clear="all">
</div>
<div><br>
-- <br>
<div class="gmail_signature">--<br>
Groeten,<br>
natxo</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello,<br>
<br>
usually the most information can be found here<br>
/var/log/pki/pki-tomcat/ca/debug<br>
<br>
Martin<br>
</body>
</html>