On 15.09.2016 11:29, Natxo Asenjo wrote:
hi,

one of our master servers has a problem with its certificates:

# getcert list

Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL
        track: yes
        auto-renew: yes
Request ID '20121107212532':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>
        expires: 2016-10-12 10:49:25 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20121107212548':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes


Where should I start looking?

In /var/log/httpd/error_log there is nothing of consquence.

--
--
Groeten,
natxo


Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to