Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request

Fri, 06 Dec 2013 10:44:46 -0800 

Michael Mercier wrote:


On Dec 5, 2013, at 3:20 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:


Michael Mercier wrote:

Hello,

A few details to begin:

The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night).  DNS is integrated with the IPA system.

ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16


The system was upgraded from 2.2



Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.

Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
in /etc/ipa/default.conf):

ipa cert-request <csrfile>
principal: <hostname>

ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request

The GUI responds with:
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request

I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.

I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers.  All
systems were rebooted after the upgrade and the problem still exists.

I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error.  Maybe I am experiencing the same problem?

Anyone have an idea where a good place to start looking is?


The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.


Here is the exact message after applying the patch…

ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security
library: improperly formatted DER-encoded message.

Note: I used java keytool to create the CSR, could that be the problem?


Possible I guess.


If you convert that to a DER (openssl can do this pretty easily) you can 
try /usr/lib[64]/nss/unsupported/derdump -i /path/to/file. This may tell 
you approximately where it is blowing up


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to