<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 15.09.2016 11:29, Natxo Asenjo
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHBEJzUpGvt1sbhJpWhP+NsERe3ZvU8M3L_tCLoS8817rQhmWQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>hi,<br>
            <br>
          </div>
          one of our master servers has a problem with its certificates:<br>
          <br>
        </div>
        # getcert list<br>
        <div>
          <div>
            <div><br>
              Number of certificates and requests being tracked: 8.<br>
              Request ID '20121107212513':<br>
                      status: CA_UNREACHABLE<br>
                      ca-error: Server failed request, will retry: 907
              (RPC failed at server.  cannot connect to '<a
                moz-do-not-send="true"
                href="https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke">https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke</a>':
              (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still
              in use.).<br>
                      stuck: yes<br>
                      key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
              Certificate
              DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'<br>
                      certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
              Certificate DB'<br>
                      CA: IPA<br>
                      issuer: CN=Certificate Authority,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      subject: CN=<a moz-do-not-send="true"
                href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      expires: 2016-10-12 10:49:24 UTC<br>
                      eku: id-kp-serverAuth,id-kp-clientAuth<br>
                      pre-save command: <br>
                      post-save command:
              /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL<br>
                      track: yes<br>
                      auto-renew: yes<br>
              Request ID '20121107212532':<br>
                      status: CA_UNREACHABLE<br>
                      ca-error: Server failed request, will retry: 4301
              (RPC failed at server.  Certificate operation cannot be
              completed: Failure decoding Certificate Signing Request).<br>
                      stuck: yes<br>
                      key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
              Certificate
              DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>
                      certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
              Certificate DB'<br>
                      CA: IPA<br>
                      issuer: CN=Certificate Authority,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      subject: CN=<a moz-do-not-send="true"
                href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      expires: 2016-10-12 10:49:25 UTC<br>
                      eku: id-kp-serverAuth,id-kp-clientAuth<br>
                      pre-save command: <br>
                      post-save command: <br>
                      track: yes<br>
                      auto-renew: yes<br>
              Request ID '20121107212548':<br>
                      status: CA_UNREACHABLE<br>
                      ca-error: Server failed request, will retry: 4301
              (RPC failed at server.  Certificate operation cannot be
              completed: Failure decoding Certificate Signing Request).<br>
                      stuck: yes<br>
                      key pair storage:
              type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
              Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
                      certificate:
              type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
              Certificate DB'<br>
                      CA: IPA<br>
                      issuer: CN=Certificate Authority,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      subject: CN=<a moz-do-not-send="true"
                href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a
                moz-do-not-send="true" href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>
                      expires: 2016-10-12 10:49:24 UTC<br>
                      eku: id-kp-serverAuth,id-kp-clientAuth<br>
                      pre-save command: <br>
                      post-save command:
              /usr/lib/ipa/certmonger/restart_httpd<br>
                      track: yes<br>
                      auto-renew: yes<br>
              <br>
              <br>
            </div>
            <div>Where should I start looking?<br>
              <br>
            </div>
            <div>In /var/log/httpd/error_log there is nothing of
              consquence.<br clear="all">
            </div>
            <div><br>
              -- <br>
              <div class="gmail_signature">--<br>
                Groeten,<br>
                natxo</div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    Hello,<br>
    <br>
    usually the most information can be found here<br>
    /var/log/pki/pki-tomcat/ca/debug<br>
    <br>
    Martin<br>
  </body>
</html>