[Freeipa-users] Certificate system unavailable

Mon, 13 Jan 2014 06:34:44 -0800 

Hi,

I seem to have issues with the certificate system on my IPA installation. 
Looking up hosts in the
IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno 
-8015] error (-8015)
unknown".

I also notice that hosts says the certificate system is unavailable.

 certmonger: Server failed request, will retry: 4301 (RPC failed at server.  
Certificate operation
cannot be completed: Failure decoding Certificate Signing Request).


Looking at the pki-ca logs on the ipa servers I see that some selftest failed:

# tail -100 selftests.log
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: 
Initializing self test plugins:
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
all self test plugin
logger parameters
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
all self test plugin
instances
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
all self test plugin
instance parameters
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
self test plugins in
on-demand order
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
self test plugins in
startup order
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Self test 
plugins have been
successfully loaded!
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: Running 
self test plugins
specified to be executed at startup:
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] CAPresence:  CA is present
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: 
system certs
verification failure
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: The 
CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup 
FAILED!

the pki-cad service is running and "pki-cad status" displays the ports 
available.
/etc/init.d/pki-cad status
pki-ca (pid 28697) is running...                           [  OK  ]


My main consern is that the certmonger requests for renew of certificates for 
LDAP on 2 out of 3
of the IPA servers has failed, and the current certificate is expiring the 19th 
of January, under
a week from now.

Do you have any suggestions to where I can start troubleshootng this issue?


Regards,
Siggi


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to