jochem--- via FreeIPA-users wrote: > Hello all, > > This i my first post here, so be gentle. > > I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on > CentOS 7.3.1611 and since a while i can't get any certificates to my hosts. > > The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also > running CentOS 7.3.1611 (actually, this happens on all new clients, same os, > same version). > > I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k > /etc/pki/tls/private/servername.key' on the client. This runs without any > errors. When i look at the output of 'ipa-getcert list' i get: > > Request ID '20170610005114': > status: CA_UNREACHABLE > ca-error: Server at https://freeipa.crossyn.local/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: FAILURE (String index out of range: -36)). > stuck: no > key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key' > certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > On the FreeIPA server i noticed in /var/log/httpd/error_log: > [Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR: > ra.request_certificate(): FAILURE (String index out of range: -36) > [Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver] > host/<hostname removed>: cert_request(<removed certificate for security > reasons>', principal=u'host/<hostname removed>', add=True, version=u'2.51'): > CertificateOperationError > > Any thoughts on how to fix this? Or debug this further? This i a single > FreeIPA server with no replica's. When this is fixed i'm going to add a > replica but i don't think i can do that without fixing this.
I suspect this error is coming from the CA itself. I'd try this, it might give more info. Create /etc/ipa/server.conf with the contents: [global] debut = True Then restart httpd and do your request again. It should log more steps in the apache error log. You might also look at /var/log/pki/pki-tomcat/ca/debug rob > > Best regards, > > Jochem Kuijpers > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org