On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Michael Mercier wrote: >> Hello, >> >> A few details to begin: >> >> The IPA system consists of 3 servers running on fully patched CentOS 6.5 >> (updated Monday night). DNS is integrated with the IPA system. >> >> ipa-*-3.0.0-37. >> mod_nss-1.0.8-19 >> openssl-1.0.1e-16 >> >> >> The system was upgraded from 2.2 >> >> >> >> Yesterday, I revoked a certificate for an old system and signed a >> certificate for the replacement system (same hostname) with no apparent >> issues. >> >> Today, I am attempting to sign a certificate for a new system and I am >> seeing the following error from the command line (with debug=True in >> /etc/ipa/default.conf): >> >> ipa cert-request <csrfile> >> principal: <hostname> >> >> ipa: ERROR: Certificate operation cannot be completed: Failure decoding >> Certificate Signing Request >> >> The GUI responds with: >> IPA ERROR 4310 >> Certificate operation cannot be completed: Failure decoding Certificate >> Signing Request >> >> I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on >> the request file. >> >> I did do a 'yum update’ on the system today (after experiencing the errors), >> with openssl and mod_nss being upgraded on all servers. All systems were >> rebooted after the upgrade and the problem still exists. >> >> I did see an older thread with a similar issue, but that seemed to involve >> updating expired certs and Rob did not seem to be able to reproduce the >> error. Maybe I am experiencing the same problem? >> >> Anyone have an idea where a good place to start looking is? > > The Failure decoding is a duplicate error message in a couple of different > places. I'd recommend modifying it per the other thread so we can know > exactly where it failed and why. Here is the exact message after applying the patch… ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. Note: I used java keytool to create the CSR, could that be the problem? Thanks, Mike > > rob
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users