[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Rob Crittenden
rcritten at redhat.com
Thu Dec 5 20:20:23 UTC 2013
Michael Mercier wrote:
> Hello,
>
> A few details to begin:
>
> The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system.
>
> ipa-*-3.0.0-37.
> mod_nss-1.0.8-19
> openssl-1.0.1e-16
>
>
> The system was upgraded from 2.2
>
>
>
> Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues.
>
> Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf):
>
> ipa cert-request <csrfile>
> principal: <hostname>
>
> ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
>
> The GUI responds with:
> IPA ERROR 4310
> Certificate operation cannot be completed: Failure decoding Certificate Signing Request
>
> I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on the request file.
>
> I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists.
>
> I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem?
>
> Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so we
can know exactly where it failed and why.
rob
More information about the Freeipa-users
mailing list