[Freeipa-users] certificates not renewing CA_UNREACHEABLE

Natxo Asenjo natxo.asenjo at gmail.com
Thu Sep 15 09:29:22 UTC 2016 

hi,

one of our master servers has a problem with its certificates:

# getcert list

Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 907 (RPC failed at
server.  cannot connect to '
https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY)
NSS could not shutdown. Objects are still in use.).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
UNIX-IRISZORG-NL
        track: yes
        auto-renew: yes
Request ID '20121107212532':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:25 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20121107212548':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes


Where should I start looking?

In /var/log/httpd/error_log there is nothing of consquence.

-- 
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/eac9fabc/attachment.htm>

More information about the Freeipa-users mailing list