[Freeipa-users] certificates not renewing CA_UNREACHEABLE
Martin Basti
mbasti at redhat.com
Thu Sep 15 10:33:21 UTC 2016
On 15.09.2016 11:29, Natxo Asenjo wrote:
> hi,
>
> one of our master servers has a problem with its certificates:
>
> # getcert list
>
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 907 (RPC failed
> at server. cannot connect to
> 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke':
> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> subject: CN=kdc01.unix.iriszorg.nl
> <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> expires: 2016-10-12 10:49:24 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
> track: yes
> auto-renew: yes
> Request ID '20121107212532':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Failure
> decoding Certificate Signing Request).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> subject: CN=kdc01.unix.iriszorg.nl
> <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> expires: 2016-10-12 10:49:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20121107212548':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Failure
> decoding Certificate Signing Request).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> subject: CN=kdc01.unix.iriszorg.nl
> <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> expires: 2016-10-12 10:49:24 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
> Where should I start looking?
>
> In /var/log/httpd/error_log there is nothing of consquence.
>
> --
> --
> Groeten,
> natxo
>
>
Hello,
usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/33430b23/attachment.htm>
More information about the Freeipa-users
mailing list