jochem--- via FreeIPA-users wrote:
> Hello all,
> This i my first post here, so be gentle.
> I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on
> CentOS 7.3.1611 and since a while i can't get any certificates to my hosts.
> The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also
> running CentOS 7.3.1611 (actually, this happens on all new clients, same os,
> same version).
> I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k
> /etc/pki/tls/private/servername.key' on the client. This runs without any
> errors. When i look at the output of 'ipa-getcert list' i get:
> Request ID '20170610005114':
> status: CA_UNREACHABLE
> ca-error: Server at https://freeipa.crossyn.local/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: FAILURE (String index out of range: -36)).
> stuck: no
> key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key'
> certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt'
> CA: IPA
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> On the FreeIPA server i noticed in /var/log/httpd/error_log:
> [Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR:
> ra.request_certificate(): FAILURE (String index out of range: -36)
> [Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver]
> host/<hostname removed>: cert_request(<removed certificate for security
> reasons>', principal=u'host/<hostname removed>', add=True, version=u'2.51'):
> Any thoughts on how to fix this? Or debug this further? This i a single
> FreeIPA server with no replica's. When this is fixed i'm going to add a
> replica but i don't think i can do that without fixing this.
I suspect this error is coming from the CA itself. I'd try this, it
might give more info.
Create /etc/ipa/server.conf with the contents:
debut = True
Then restart httpd and do your request again. It should log more steps
in the apache error log.
You might also look at /var/log/pki/pki-tomcat/ca/debug
> Best regards,
> Jochem Kuijpers
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org