[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

Mon, 26 Jun 2023 10:25:05 -0700 

On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote:

Sam Morris via FreeIPA-users wrote:

On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:

I've got an IPA client on which certmonger is unable to renew a
certificate.

Here are the log messages from certmonger...

      2023-06-20 08:24:49 [622035] Certificate submission attempt
complete.
      2023-06-20 08:24:49 [622035] Child status = 2.
      2023-06-20 08:24:49 [622035] Child output:
      "Server at https://ipa5.ipa.example.com/ipa/json denied our
request, giving up: 2100 (Insufficient access: SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (Credential cache is >
      "
      2023-06-20 08:24:49 [622035] Server at
https://ipa5.ipa.example.com/ipa/json denied our request, giving up:
2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more infor>


Today I restarted certmonger (in order to increase its debug level) and
the newly-started instance immediately resubmitted its request and was
issued with a new certificate. So I guess the problem was on the client
after all.


How old is certmonger? There was a file descriptor leak issue fixed
within the last couple of years that would cause a problem like that IIRC.


Thanks Rob

This was with certmonger-0.79.17-2.el8.x86_64
I didn't check to see how many open fds the process had before restarting it. The machine it was running on had been up for a couple of weeks at the time this happened. 


--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to