<div dir="ltr"><div><div>hi,<br><br></div>one of our master servers has a problem with its certificates:<br><br></div># getcert list<br><div><div><div><br>Number of certificates and requests being tracked: 8.<br>Request ID '20121107212513':<br>        status: CA_UNREACHABLE<br>        ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to '<a href="https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke">https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke</a>': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        expires: 2016-10-12 10:49:24 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: <br>        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL<br>        track: yes<br>        auto-renew: yes<br>Request ID '20121107212532':<br>        status: CA_UNREACHABLE<br>        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        expires: 2016-10-12 10:49:25 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: <br>        post-save command: <br>        track: yes<br>        auto-renew: yes<br>Request ID '20121107212548':<br>        status: CA_UNREACHABLE<br>        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        expires: 2016-10-12 10:49:24 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: <br>        post-save command: /usr/lib/ipa/certmonger/restart_httpd<br>        track: yes<br>        auto-renew: yes<br><br><br></div><div>Where should I start looking?<br><br></div><div>In /var/log/httpd/error_log there is nothing of consquence.<br clear="all"></div><div><br>-- <br><div class="gmail_signature">--<br>Groeten,<br>natxo</div>
</div></div></div></div>