[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request

Rob Crittenden rcritten at redhat.com
Fri Dec 6 18:39:51 UTC 2013 

Michael Mercier wrote:
>
> On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>> Michael Mercier wrote:
>>> Hello,
>>>
>>> A few details to begin:
>>>
>>> The IPA system consists of 3 servers running on fully patched CentOS
>>> 6.5 (updated Monday night).  DNS is integrated with the IPA system.
>>>
>>> ipa-*-3.0.0-37.
>>> mod_nss-1.0.8-19
>>> openssl-1.0.1e-16
>>>
>>>
>>> The system was upgraded from 2.2
>>>
>>>
>>>
>>> Yesterday, I revoked a certificate for an old system and signed a
>>> certificate for the replacement system (same hostname) with no
>>> apparent issues.
>>>
>>> Today, I am attempting to sign a certificate for a new system and I
>>> am seeing the following error from the command line (with debug=True
>>> in /etc/ipa/default.conf):
>>>
>>> ipa cert-request <csrfile>
>>> principal: <hostname>
>>>
>>> ipa: ERROR: Certificate operation cannot be completed: Failure
>>> decoding Certificate Signing Request
>>>
>>> The GUI responds with:
>>> IPA ERROR 4310
>>> Certificate operation cannot be completed: Failure decoding
>>> Certificate Signing Request
>>>
>>> I have no issues running 'openssl req -text -noout -verify -in
>>> <csrfile>’ on the request file.
>>>
>>> I did do a 'yum update’ on the system today (after experiencing the
>>> errors), with openssl and mod_nss being upgraded on all servers.  All
>>> systems were rebooted after the upgrade and the problem still exists.
>>>
>>> I did see an older thread with a similar issue, but that seemed to
>>> involve updating expired certs and Rob did not seem to be able to
>>> reproduce the error.  Maybe I am experiencing the same problem?
>>>
>>> Anyone have an idea where a good place to start looking is?
>>
>> The Failure decoding is a duplicate error message in a couple of
>> different places. I'd recommend modifying it per the other thread so
>> we can know exactly where it failed and why.
>
> Here is the exact message after applying the patch…
>
> ipa: ERROR: Certificate operation cannot be completed: Failure decoding
> Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security
> library: improperly formatted DER-encoded message.
>
> Note: I used java keytool to create the CSR, could that be the problem?

Possible I guess.

If you convert that to a DER (openssl can do this pretty easily) you can 
try /usr/lib[64]/nss/unsupported/derdump -i /path/to/file. This may tell 
you approximately where it is blowing up

rob

More information about the Freeipa-users mailing list