jochem--- via FreeIPA-users wrote:
Hello all,
This i my first post here, so be gentle.
I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on CentOS
7.3.1611 and since a while i can't get any certificates to my hosts.
The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also running
CentOS 7.3.1611 (actually, this happens on all new clients, same os, same version).
I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k
/etc/pki/tls/private/servername.key' on the client. This runs without any errors. When
i look at the output of 'ipa-getcert list' i get:
Request ID '20170610005114':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.crossyn.local/ipa/xml failed request, will retry:
4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (String
index out of range: -36)).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key'
certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
On the FreeIPA server i noticed in /var/log/httpd/error_log:
[Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR:
ra.request_certificate(): FAILURE (String index out of range: -36)
[Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver]
host/<hostname removed>: cert_request(<removed certificate for security
reasons>', principal=u'host/<hostname removed>', add=True,
version=u'2.51'): CertificateOperationError
Any thoughts on how to fix this? Or debug this further? This i a single FreeIPA server
with no replica's. When this is fixed i'm going to add a replica but i don't
think i can do that without fixing this.
I suspect this error is coming from the CA itself. I'd try this, it
might give more info.
Create /etc/ipa/server.conf with the contents:
[global]
debut = True
Then restart httpd and do your request again. It should log more steps
in the apache error log.
You might also look at /var/log/pki/pki-tomcat/ca/debug
rob
Best regards,
Jochem Kuijpers
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org