On 15.09.2016 11:29, Natxo Asenjo wrote:
hi, one of our master servers has a problem with its certificates: # getcert list Number of certificates and requests being tracked: 8. Request ID '20121107212513': status: CA_UNREACHABLEca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).stuck: yeskey pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'CA: IPAissuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>expires: 2016-10-12 10:49:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NLtrack: yes auto-renew: yes Request ID '20121107212532': status: CA_UNREACHABLEca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).stuck: yeskey pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'CA: IPAissuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>expires: 2016-10-12 10:49:25 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20121107212548': status: CA_UNREACHABLEca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).stuck: yeskey pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'CA: IPAissuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> subject: CN=kdc01.unix.iriszorg.nl <http://kdc01.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL>expires: 2016-10-12 10:49:24 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes Where should I start looking? In /var/log/httpd/error_log there is nothing of consquence. -- -- Groeten, natxo
Hello, usually the most information can be found here /var/log/pki/pki-tomcat/ca/debug Martin
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
