[Freeipa-users] Failure decoding Certificate Signing Request
Rob Crittenden
rcritten at redhat.com
Tue Oct 22 17:45:43 UTC 2013
Thomson, Ryan wrote:
> Hi Rob,
>
>> There is some duplication in the error strings (ticket
>> https://fedorahosted.org/freeipa/ticket/3988). Did you add a number prefix
>> to yours, I see a 3 -in the error. If so, by my calculation, this works out to be
>> an NSPRError. It would be helpful to know what exception is being raised,
>> which we don't do.
>
> I did prefix numbers to the various error strings.
>
>> Either way, if you could enhance each occurrence of 'Failure decoding
>> Certificate Signing Request' in /usr/lib/python*/site-
>> packages/ipalib/plugins/cert.py to something like:
>>
>> except NSPEError, nsprerr:
>> raise errors.CertificateOperationError(error=_('Failure decoding
>> Certificate Signing Request" %s') % nsprerr)
>>
>> You'll need to restart the httpd process afterwards. This should give us the
>> real reason for the failure.
>
> Done. The error I get now is:
>
> Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request" [Errno -8018] error (-8018) unknown).
Hmm, very strange indeed.
It should be using the NSS database initialized in mod_nss for Apache,
which should remain open and available for wsgi. It almost seems like
the database has been shut down.
Can you add a logging event to log the value of nss.nss_is_initialized()?
Have you done any configuration customization in Apache or mod_nss?
thanks
rob
More information about the Freeipa-users
mailing list