[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request

Michael Mercier mmercier at gmail.com
Fri Dec 6 17:16:31 UTC 2013 

On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Michael Mercier wrote:
>> Hello,
>> 
>> A few details to begin:
>> 
>> The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night).  DNS is integrated with the IPA system.
>> 
>> ipa-*-3.0.0-37.
>> mod_nss-1.0.8-19
>> openssl-1.0.1e-16
>> 
>> 
>> The system was upgraded from 2.2
>> 
>> 
>> 
>> Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues.
>> 
>> Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf):
>> 
>> ipa cert-request <csrfile>
>> principal: <hostname>
>> 
>> ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
>> 
>> The GUI responds with:
>> IPA ERROR 4310
>> Certificate operation cannot be completed: Failure decoding Certificate Signing Request
>> 
>> I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on the request file.
>> 
>> I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers.  All systems were rebooted after the upgrade and the problem still exists.
>> 
>> I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error.  Maybe I am experiencing the same problem?
>> 
>> Anyone have an idea where a good place to start looking is?
> 
> The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why.

Here is the exact message after applying the patch…

ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.

Note: I used java keytool to create the CSR, could that be the problem?

Thanks,
Mike

> 
> rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131206/994d4cc2/attachment.htm>

More information about the Freeipa-users mailing list