> -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Tuesday, October 22, 2013 10:46 AM > To: Thomson, Ryan; [email protected] > Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request > > Thomson, Ryan wrote: > > Hi Rob, > > > >> There is some duplication in the error strings (ticket > >> https://fedorahosted.org/freeipa/ticket/3988). Did you add a number > >> prefix to yours, I see a 3 -in the error. If so, by my calculation, > >> this works out to be an NSPRError. It would be helpful to know what > >> exception is being raised, which we don't do. > > > > I did prefix numbers to the various error strings. > > > >> Either way, if you could enhance each occurrence of 'Failure decoding > >> Certificate Signing Request' in /usr/lib/python*/site- > >> packages/ipalib/plugins/cert.py to something like: > >> > >> except NSPEError, nsprerr: > >> raise errors.CertificateOperationError(error=_('Failure > >> decoding Certificate Signing Request" %s') % nsprerr) > >> > >> You'll need to restart the httpd process afterwards. This should give > >> us the real reason for the failure. > > > > Done. The error I get now is: > > > > Server failed request, will retry: 4301 (RPC failed at server. Certificate > operation cannot be completed: Failure decoding Certificate Signing > Request" [Errno -8018] error (-8018) unknown). > > Hmm, very strange indeed. > > It should be using the NSS database initialized in mod_nss for Apache, which > should remain open and available for wsgi. It almost seems like the database > has been shut down. > > Can you add a logging event to log the value of nss.nss_is_initialized()? > > Have you done any configuration customization in Apache or mod_nss? > > thanks > > rob
The return value of nss.nss_is_initialized() is False when I resubmit the (expired) certs through certmonger. I did have a custom config for apache that configured a virtual host with SSL. I have disabled that config and restarted httpd, resubmitted the certs to certmonger but I still receive the same error. I will continue poking through my apache / mod_nss config to see if anything stands out. Cheers, --Ryan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
