[Freeipa-users] Failure decoding Certificate Signing Request

Thomson, Ryan ryan.thomson at ubc.ca
Wed Oct 23 21:05:54 UTC 2013 

> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, October 22, 2013 7:13 PM
> To: Thomson, Ryan; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request
> 
> Thomson, Ryan wrote:
> >> -----Original Message-----
> >> From: Rob Crittenden [mailto:rcritten at redhat.com]
> >> Sent: Tuesday, October 22, 2013 10:46 AM
> >> To: Thomson, Ryan; freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing
> >> Request
> >>
> >> Thomson, Ryan wrote:
> >>> Hi Rob,
> >>>
> >>>> There is some duplication in the error strings (ticket
> >>>> https://fedorahosted.org/freeipa/ticket/3988). Did you add a number
> >>>> prefix to yours, I see a 3 -in the error. If so, by my calculation,
> >>>> this works out to be an NSPRError. It would be helpful to know what
> >>>> exception is being raised, which we don't do.
> >>>
> >>> I did prefix numbers to the various error strings.
> >>>
> >>>> Either way, if you could enhance each occurrence of 'Failure
> >>>> decoding Certificate Signing Request' in /usr/lib/python*/site-
> >>>> packages/ipalib/plugins/cert.py to something like:
> >>>>
> >>>> except NSPEError, nsprerr:
> >>>>        raise  errors.CertificateOperationError(error=_('Failure
> >>>> decoding Certificate Signing Request" %s') % nsprerr)
> >>>>
> >>>> You'll need to restart the httpd process afterwards. This should
> >>>> give us the real reason for the failure.
> >>>
> >>> Done. The error I get now is:
> >>>
> >>> Server failed request, will retry: 4301 (RPC failed at server.
> >>> Certificate
> >> operation cannot be completed: Failure decoding Certificate Signing
> >> Request" [Errno -8018] error (-8018) unknown).
> >>
> >> Hmm, very strange indeed.
> >>
> >> It should be using the NSS database initialized in mod_nss for
> >> Apache, which should remain open and available for wsgi. It almost
> >> seems like the database has been shut down.
> >>
> >> Can you add a logging event to log the value of nss.nss_is_initialized()?
> >>
> >> Have you done any configuration customization in Apache or mod_nss?
> >>
> >> thanks
> >>
> >> rob
> >
> > The return value of nss.nss_is_initialized() is False when I resubmit the
> (expired) certs through certmonger.
> 
> Ok, that is the core of the issue then. pkcs10.load_certificate() will initialize
> NSS If it isn't already and I'm guessing that is failing and is the source of this
> exception.
> 
> > I did have a custom config for apache that configured a virtual host with
> SSL. I have disabled that config and restarted httpd, resubmitted the certs to
> certmonger but I still receive the same error. I will continue poking through
> my apache / mod_nss config to see if anything stands out.
> 
> You're still using mod_nss though, right?
> 
> rob

I'm still using mod_nss.

I have discovered that I might be focusing on a symptom here rather than the core problem. If I restart httpd and then certmonger, the first error returned when certmonger tries to renew the certificates is not "Failure decoding Certificate Signing Request" but rather:

"Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: EXCEPTION (You did not provide a valid certificate for this operation))."

for two certs, and:

"Server failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://HOSTNAME.DOMAIN:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.)."

for a third.

After some time, I resubmit and the error returned changes to "Failure decoding..." for all three (expired) certs.

In the httpd error_log during that time, I see the following errors and traceback:

[Sun Oct 06 21:13:14 2013] [error] /usr/lib64/python2.6/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
[Sun Oct 06 21:13:14 2013] [error]   passwd = fallback_getpass(prompt, stream)
[Sun Oct 06 21:13:14 2013] [error] Warning: Password input may be echoed.
[Sun Oct 06 21:13:14 2013] [error] Enter password for internal: 
[Sun Oct 06 21:13:14 2013] [error] exception in PK11 password callback
[Sun Oct 06 21:13:14 2013] [error] Traceback (most recent call last):
[Sun Oct 06 21:13:14 2013] [error]   File "/usr/lib/python2.6/site-packages/ipapython/nsslib.py", line 229, in password_callback
[Sun Oct 06 21:13:14 2013] [error]     return getpass.getpass("Enter password for %s: " % slot.token_name);
[Sun Oct 06 21:13:14 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 83, in unix_getpass
[Sun Oct 06 21:13:14 2013] [error]     passwd = fallback_getpass(prompt, stream)
[Sun Oct 06 21:13:14 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 118, in fallback_getpass
[Sun Oct 06 21:13:14 2013] [error]     return _raw_input(prompt, stream)
[Sun Oct 06 21:13:14 2013] [error]   File "/usr/lib64/python2.6/getpass.py", line 135, in _raw_input
[Sun Oct 06 21:13:14 2013] [error]     raise EOFError
[Sun Oct 06 21:13:14 2013] [error] EOFError

It looks like perhaps there is a problem retrieving a password (for an NSS db?) with getpass.

Thanks for your help so far, Rob. Much appreciated.

Cheers,

--Ryan

More information about the Freeipa-users mailing list