Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Michael Mercier wrote: On Dec 5, 2013, at 3:20 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Michael Mercier wrote: Hello, A few details to begin: The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system. ipa-*-3.0.0-37. mod_nss-1.0.8-19 openssl-1.0.1e-16 The system was upgraded from 2.2 Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues. Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf): ipa cert-request principal: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request The GUI responds with: IPA ERROR 4310 Certificate operation cannot be completed: Failure decoding Certificate Signing Request I have no issues running 'openssl req -text -noout -verify -in ’ on the request file. I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists. I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem? Anyone have an idea where a good place to start looking is? The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why. Here is the exact message after applying the patch… ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. Note: I used java keytool to create the CSR, could that be the problem? Possible I guess. If you convert that to a DER (openssl can do this pretty easily) you can try /usr/lib[64]/nss/unsupported/derdump -i /path/to/file. This may tell you approximately where it is blowing up rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
On Dec 5, 2013, at 3:20 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> Hello, >> >> A few details to begin: >> >> The IPA system consists of 3 servers running on fully patched CentOS 6.5 >> (updated Monday night). DNS is integrated with the IPA system. >> >> ipa-*-3.0.0-37. >> mod_nss-1.0.8-19 >> openssl-1.0.1e-16 >> >> >> The system was upgraded from 2.2 >> >> >> >> Yesterday, I revoked a certificate for an old system and signed a >> certificate for the replacement system (same hostname) with no apparent >> issues. >> >> Today, I am attempting to sign a certificate for a new system and I am >> seeing the following error from the command line (with debug=True in >> /etc/ipa/default.conf): >> >> ipa cert-request >> principal: >> >> ipa: ERROR: Certificate operation cannot be completed: Failure decoding >> Certificate Signing Request >> >> The GUI responds with: >> IPA ERROR 4310 >> Certificate operation cannot be completed: Failure decoding Certificate >> Signing Request >> >> I have no issues running 'openssl req -text -noout -verify -in ’ on >> the request file. >> >> I did do a 'yum update’ on the system today (after experiencing the errors), >> with openssl and mod_nss being upgraded on all servers. All systems were >> rebooted after the upgrade and the problem still exists. >> >> I did see an older thread with a similar issue, but that seemed to involve >> updating expired certs and Rob did not seem to be able to reproduce the >> error. Maybe I am experiencing the same problem? >> >> Anyone have an idea where a good place to start looking is? > > The Failure decoding is a duplicate error message in a couple of different > places. I'd recommend modifying it per the other thread so we can know > exactly where it failed and why. Here is the exact message after applying the patch… ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. Note: I used java keytool to create the CSR, could that be the problem? Thanks, Mike > > rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Dmitri Pal wrote: On 12/05/2013 03:20 PM, Rob Crittenden wrote: Michael Mercier wrote: Hello, A few details to begin: The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system. ipa-*-3.0.0-37. mod_nss-1.0.8-19 openssl-1.0.1e-16 The system was upgraded from 2.2 Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues. Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf): ipa cert-request principal: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request The GUI responds with: IPA ERROR 4310 Certificate operation cannot be completed: Failure decoding Certificate Signing Request I have no issues running 'openssl req -text -noout -verify -in ’ on the request file. I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists. I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem? Anyone have an idea where a good place to start looking is? The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rob do we need a ticket for that? Already fixed in master and 3.3.3, https://fedorahosted.org/freeipa/ticket/3988 rob rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
On 12/05/2013 03:20 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> Hello, >> >> A few details to begin: >> >> The IPA system consists of 3 servers running on fully patched CentOS >> 6.5 (updated Monday night). DNS is integrated with the IPA system. >> >> ipa-*-3.0.0-37. >> mod_nss-1.0.8-19 >> openssl-1.0.1e-16 >> >> >> The system was upgraded from 2.2 >> >> >> >> Yesterday, I revoked a certificate for an old system and signed a >> certificate for the replacement system (same hostname) with no >> apparent issues. >> >> Today, I am attempting to sign a certificate for a new system and I >> am seeing the following error from the command line (with debug=True >> in /etc/ipa/default.conf): >> >> ipa cert-request >> principal: >> >> ipa: ERROR: Certificate operation cannot be completed: Failure >> decoding Certificate Signing Request >> >> The GUI responds with: >> IPA ERROR 4310 >> Certificate operation cannot be completed: Failure decoding >> Certificate Signing Request >> >> I have no issues running 'openssl req -text -noout -verify -in >> ’ on the request file. >> >> I did do a 'yum update’ on the system today (after experiencing the >> errors), with openssl and mod_nss being upgraded on all servers. All >> systems were rebooted after the upgrade and the problem still exists. >> >> I did see an older thread with a similar issue, but that seemed to >> involve updating expired certs and Rob did not seem to be able to >> reproduce the error. Maybe I am experiencing the same problem? >> >> Anyone have an idea where a good place to start looking is? > > The Failure decoding is a duplicate error message in a couple of > different places. I'd recommend modifying it per the other thread so > we can know exactly where it failed and why. > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Rob do we need a ticket for that? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Michael Mercier wrote: Hello, A few details to begin: The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system. ipa-*-3.0.0-37. mod_nss-1.0.8-19 openssl-1.0.1e-16 The system was upgraded from 2.2 Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues. Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf): ipa cert-request principal: ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request The GUI responds with: IPA ERROR 4310 Certificate operation cannot be completed: Failure decoding Certificate Signing Request I have no issues running 'openssl req -text -noout -verify -in ’ on the request file. I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists. I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem? Anyone have an idea where a good place to start looking is? The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users