[Freeipa-users] Certificate serial number not found error
Rob Crittenden
rcritten at redhat.com
Mon Dec 10 13:30:21 UTC 2012
James Hogarth wrote:
> Hi,
>
> When trying to view a particular service (or the related host) I'm
> getting the following error in the UI:
>
> IPA Error 4301
> Certificate operation cannot be completed: EXCEPTION (Certificate serial
> number 0xffe000c not found)
>
> Now I've seen similar issue in the past when replication has played up
> and then using ipa-csmanage-replica and forcing syncs (or finding the
> system the certificate is registered on and deleting it there) has
> cleared it up...
>
> Unfortunately I suspect this was on an old replica which no longer
> exists given the error occurs on either of the pair I now have for this
> host and service...
>
> Given there's no 'ignore warning and remove what you can' so far as I
> can see I suspect I'm going to have to delve into LDAP to unravel the
> mess but does anyone know the relevant areas in both 389 servers to do
> this as safely as possible and reduce the risk in doing so as much as
> possible?
You can use ldapmodify to remove the userCertificate attribute from the
host.
# kinit admin
# ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com
changetype: modify
delete: usercertificate
modifying entry
"fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com"
You'll probably want to delete the certificate out of /etc/pki/nssdb on
the host too.
rob
More information about the Freeipa-users
mailing list