[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request

Rob Crittenden rcritten at redhat.com
Thu Dec 5 20:41:05 UTC 2013 

Dmitri Pal wrote:
> On 12/05/2013 03:20 PM, Rob Crittenden wrote:
>> Michael Mercier wrote:
>>> Hello,
>>>
>>> A few details to begin:
>>>
>>> The IPA system consists of 3 servers running on fully patched CentOS
>>> 6.5 (updated Monday night).  DNS is integrated with the IPA system.
>>>
>>> ipa-*-3.0.0-37.
>>> mod_nss-1.0.8-19
>>> openssl-1.0.1e-16
>>>
>>>
>>> The system was upgraded from 2.2
>>>
>>>
>>>
>>> Yesterday, I revoked a certificate for an old system and signed a
>>> certificate for the replacement system (same hostname) with no
>>> apparent issues.
>>>
>>> Today, I am attempting to sign a certificate for a new system and I
>>> am seeing the following error from the command line (with debug=True
>>> in /etc/ipa/default.conf):
>>>
>>> ipa cert-request <csrfile>
>>> principal: <hostname>
>>>
>>> ipa: ERROR: Certificate operation cannot be completed: Failure
>>> decoding Certificate Signing Request
>>>
>>> The GUI responds with:
>>> IPA ERROR 4310
>>> Certificate operation cannot be completed: Failure decoding
>>> Certificate Signing Request
>>>
>>> I have no issues running 'openssl req -text -noout -verify -in
>>> <csrfile>’ on the request file.
>>>
>>> I did do a 'yum update’ on the system today (after experiencing the
>>> errors), with openssl and mod_nss being upgraded on all servers.  All
>>> systems were rebooted after the upgrade and the problem still exists.
>>>
>>> I did see an older thread with a similar issue, but that seemed to
>>> involve updating expired certs and Rob did not seem to be able to
>>> reproduce the error.  Maybe I am experiencing the same problem?
>>>
>>> Anyone have an idea where a good place to start looking is?
>>
>> The Failure decoding is a duplicate error message in a couple of
>> different places. I'd recommend modifying it per the other thread so
>> we can know exactly where it failed and why.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Rob do we need a ticket for that?

Already fixed in master and 3.3.3, 
https://fedorahosted.org/freeipa/ticket/3988


rob
rob

More information about the Freeipa-users mailing list