jochem--- via FreeIPA-users wrote:
> Hello all,
> This i my first post here, so be gentle.
> I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on 
> CentOS 7.3.1611 and since a while i can't get any certificates to my hosts.
> The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also 
> running CentOS 7.3.1611 (actually, this happens on all new clients, same os, 
> same version).
> I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k 
> /etc/pki/tls/private/servername.key' on the client. This runs without any 
> errors. When i look at the output of 'ipa-getcert list' i get:
> Request ID '20170610005114':
> ca-error: Server at https://freeipa.crossyn.local/ipa/xml failed request, 
> will retry: 4301 (RPC failed at server.  Certificate operation cannot be 
> completed: FAILURE (String index out of range: -36)).
> stuck: no
> key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key'
> certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt'
> issuer: 
> subject: 
> expires: unknown
> pre-save command: 
> post-save command: 
> track: yes
> auto-renew: yes
> On the FreeIPA server i noticed in /var/log/httpd/error_log: 
> [Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR: 
> ra.request_certificate(): FAILURE (String index out of range: -36)
> [Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver] 
> host/<hostname removed>: cert_request(<removed certificate for security 
> reasons>', principal=u'host/<hostname removed>', add=True, version=u'2.51'): 
> CertificateOperationError
> Any thoughts on how to fix this? Or debug this further? This i a single 
> FreeIPA server with no replica's. When this is fixed i'm going to add a 
> replica but i don't think i can do that without fixing this.

I suspect this error is coming from the CA itself. I'd try this, it
might give more info.

Create /etc/ipa/server.conf with the contents:

debut = True

Then restart httpd and do your request again. It should log more steps
in the apache error log.

You might also look at /var/log/pki/pki-tomcat/ca/debug


> Best regards,
> Jochem Kuijpers
> _______________________________________________
> FreeIPA-users mailing list --
> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to