[Freeipa-users] Failure decoding Certificate Signing Request
Thomson, Ryan
ryan.thomson at ubc.ca
Tue Oct 22 23:10:57 UTC 2013
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, October 22, 2013 10:46 AM
> To: Thomson, Ryan; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request
>
> Thomson, Ryan wrote:
> > Hi Rob,
> >
> >> There is some duplication in the error strings (ticket
> >> https://fedorahosted.org/freeipa/ticket/3988). Did you add a number
> >> prefix to yours, I see a 3 -in the error. If so, by my calculation,
> >> this works out to be an NSPRError. It would be helpful to know what
> >> exception is being raised, which we don't do.
> >
> > I did prefix numbers to the various error strings.
> >
> >> Either way, if you could enhance each occurrence of 'Failure decoding
> >> Certificate Signing Request' in /usr/lib/python*/site-
> >> packages/ipalib/plugins/cert.py to something like:
> >>
> >> except NSPEError, nsprerr:
> >> raise errors.CertificateOperationError(error=_('Failure
> >> decoding Certificate Signing Request" %s') % nsprerr)
> >>
> >> You'll need to restart the httpd process afterwards. This should give
> >> us the real reason for the failure.
> >
> > Done. The error I get now is:
> >
> > Server failed request, will retry: 4301 (RPC failed at server. Certificate
> operation cannot be completed: Failure decoding Certificate Signing
> Request" [Errno -8018] error (-8018) unknown).
>
> Hmm, very strange indeed.
>
> It should be using the NSS database initialized in mod_nss for Apache, which
> should remain open and available for wsgi. It almost seems like the database
> has been shut down.
>
> Can you add a logging event to log the value of nss.nss_is_initialized()?
>
> Have you done any configuration customization in Apache or mod_nss?
>
> thanks
>
> rob
The return value of nss.nss_is_initialized() is False when I resubmit the (expired) certs through certmonger.
I did have a custom config for apache that configured a virtual host with SSL. I have disabled that config and restarted httpd, resubmitted the certs to certmonger but I still receive the same error. I will continue poking through my apache / mod_nss config to see if anything stands out.
Cheers,
--Ryan
More information about the Freeipa-users
mailing list