Hello all,

This i my first post here, so be gentle.

I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on 
CentOS 7.3.1611 and since a while i can't get any certificates to my hosts.

The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also 
running CentOS 7.3.1611 (actually, this happens on all new clients, same os, 
same version).

I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k 
/etc/pki/tls/private/servername.key' on the client. This runs without any 
errors. When i look at the output of 'ipa-getcert list' i get:

Request ID '20170610005114':
ca-error: Server at https://freeipa.crossyn.local/ipa/xml failed request, will 
retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: 
FAILURE (String index out of range: -36)).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key'
certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt'
expires: unknown
pre-save command: 
post-save command: 
track: yes
auto-renew: yes

On the FreeIPA server i noticed in /var/log/httpd/error_log: 
[Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR: 
ra.request_certificate(): FAILURE (String index out of range: -36)
[Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver] 
host/<hostname removed>: cert_request(<removed certificate for security 
reasons>', principal=u'host/<hostname removed>', add=True, version=u'2.51'): 

Any thoughts on how to fix this? Or debug this further? This i a single FreeIPA 
server with no replica's. When this is fixed i'm going to add a replica but i 
don't think i can do that without fixing this.

Best regards,

Jochem Kuijpers
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to