Michael Mercier wrote:


On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

Michael Mercier wrote:
Hello,

A few details to begin:

The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night).  DNS is integrated with the IPA system.

ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16


The system was upgraded from 2.2



Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.

Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
in /etc/ipa/default.conf):

ipa cert-request <csrfile>
principal: <hostname>

ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request

The GUI responds with:
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request

I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.

I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers.  All
systems were rebooted after the upgrade and the problem still exists.

I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error.  Maybe I am experiencing the same problem?

Anyone have an idea where a good place to start looking is?

The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.

Here is the exact message after applying the patch…

ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security
library: improperly formatted DER-encoded message.

Note: I used java keytool to create the CSR, could that be the problem?

Possible I guess.

If you convert that to a DER (openssl can do this pretty easily) you can try /usr/lib[64]/nss/unsupported/derdump -i /path/to/file. This may tell you approximately where it is blowing up

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to