Dmitri Pal wrote:
On 12/05/2013 03:20 PM, Rob Crittenden wrote:
Michael Mercier wrote:
Hello,

A few details to begin:

The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night).  DNS is integrated with the IPA system.

ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16


The system was upgraded from 2.2



Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.

Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
in /etc/ipa/default.conf):

ipa cert-request <csrfile>
principal: <hostname>

ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request

The GUI responds with:
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request

I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.

I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers.  All
systems were rebooted after the upgrade and the problem still exists.

I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error.  Maybe I am experiencing the same problem?

Anyone have an idea where a good place to start looking is?

The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Rob do we need a ticket for that?

Already fixed in master and 3.3.3, https://fedorahosted.org/freeipa/ticket/3988


rob
rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to