[Freeipa-users] certificates not renewing CA_UNREACHEABLE
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Sep 15 09:29:22 UTC 2016
hi,
one of our master servers has a problem with its certificates:
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at
server. cannot connect to '
https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY)
NSS could not shutdown. Objects are still in use.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2016-10-12 10:49:24 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
UNIX-IRISZORG-NL
track: yes
auto-renew: yes
Request ID '20121107212532':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2016-10-12 10:49:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20121107212548':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2016-10-12 10:49:24 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Where should I start looking?
In /var/log/httpd/error_log there is nothing of consquence.
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/eac9fabc/attachment.htm>
More information about the Freeipa-users
mailing list