Re: [Freeipa-users] Failure decoding Certificate Signing Request

Tue, 22 Oct 2013 19:16:36 -0700 

Thomson, Ryan wrote:

-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Tuesday, October 22, 2013 10:46 AM
To: Thomson, Ryan; [email protected]
Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request

Thomson, Ryan wrote:

Hi Rob,


There is some duplication in the error strings (ticket
https://fedorahosted.org/freeipa/ticket/3988). Did you add a number
prefix to yours, I see a 3 -in the error. If so, by my calculation,
this works out to be an NSPRError. It would be helpful to know what
exception is being raised, which we don't do.


I did prefix numbers to the various error strings.


Either way, if you could enhance each occurrence of 'Failure decoding
Certificate Signing Request' in /usr/lib/python*/site-
packages/ipalib/plugins/cert.py to something like:

except NSPEError, nsprerr:
       raise  errors.CertificateOperationError(error=_('Failure
decoding Certificate Signing Request" %s') % nsprerr)

You'll need to restart the httpd process afterwards. This should give
us the real reason for the failure.


Done. The error I get now is:

Server failed request, will retry: 4301 (RPC failed at server.  Certificate

operation cannot be completed: Failure decoding Certificate Signing
Request" [Errno -8018] error (-8018) unknown).

Hmm, very strange indeed.

It should be using the NSS database initialized in mod_nss for Apache, which
should remain open and available for wsgi. It almost seems like the database
has been shut down.

Can you add a logging event to log the value of nss.nss_is_initialized()?

Have you done any configuration customization in Apache or mod_nss?

thanks

rob


The return value of nss.nss_is_initialized() is False when I resubmit the 
(expired) certs through certmonger.
Ok, that is the core of the issue then. pkcs10.load_certificate() will initialize NSS If it isn't already and I'm guessing that is failing and is the source of this exception. 


I did have a custom config for apache that configured a virtual host with SSL. 
I have disabled that config and restarted httpd, resubmitted the certs to 
certmonger but I still receive the same error. I will continue poking through 
my apache / mod_nss config to see if anything stands out.


You're still using mod_nss though, right?

rob

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to