On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Michael Mercier wrote:
>> A few details to begin:
>> The IPA system consists of 3 servers running on fully patched CentOS 6.5
>> (updated Monday night). DNS is integrated with the IPA system.
>> The system was upgraded from 2.2
>> Yesterday, I revoked a certificate for an old system and signed a
>> certificate for the replacement system (same hostname) with no apparent
>> Today, I am attempting to sign a certificate for a new system and I am
>> seeing the following error from the command line (with debug=True in
>> ipa cert-request <csrfile>
>> principal: <hostname>
>> ipa: ERROR: Certificate operation cannot be completed: Failure decoding
>> Certificate Signing Request
>> The GUI responds with:
>> IPA ERROR 4310
>> Certificate operation cannot be completed: Failure decoding Certificate
>> Signing Request
>> I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on
>> the request file.
>> I did do a 'yum update’ on the system today (after experiencing the errors),
>> with openssl and mod_nss being upgraded on all servers. All systems were
>> rebooted after the upgrade and the problem still exists.
>> I did see an older thread with a similar issue, but that seemed to involve
>> updating expired certs and Rob did not seem to be able to reproduce the
>> error. Maybe I am experiencing the same problem?
>> Anyone have an idea where a good place to start looking is?
> The Failure decoding is a duplicate error message in a couple of different
> places. I'd recommend modifying it per the other thread so we can know
> exactly where it failed and why.
Here is the exact message after applying the patch…
ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security
library: improperly formatted DER-encoded message.
Note: I used java keytool to create the CSR, could that be the problem?
Freeipa-users mailing list