On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote:
> I've got an IPA client on which certmonger is unable to renew a
> certificate.
>
> Here are the log messages from certmonger...
>
> 2023-06-20 08:24:49 [622035] Certificate submission attempt
> complete.
> 2023-06-20 08:24:49 [622035] Child status = 2.
> 2023-06-20 08:24:49 [622035] Child output:
> "Server at
https://ipa5.ipa.example.com/ipa/json denied our
> request, giving up: 2100 (Insufficient access: SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Credential cache is >
> "
> 2023-06-20 08:24:49 [622035] Server at
>
https://ipa5.ipa.example.com/ipa/json denied our request, giving up:
> 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more infor>
>
Today I restarted certmonger (in order to increase its debug level) and
the newly-started instance immediately resubmitted its request and was
issued with a new certificate. So I guess the problem was on the client
after all.
How old is certmonger? There was a file descriptor leak issue fixed
within the last couple of years that would cause a problem like that IIRC.
rob