Discussion:
[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Michael Mercier
2013-12-05 18:47:24 UTC
Permalink
Hello,

A few details to begin:

The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system.

ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16


The system was upgraded from 2.2



Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues.

Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf):

ipa cert-request <csrfile>
principal: <hostname>

ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request

The GUI responds with:
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding Certificate Signing Request

I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on the request file.

I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists.

I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem?

Anyone have an idea where a good place to start looking is?

Thanks,
Mike
Rob Crittenden
2013-12-05 20:20:23 UTC
Permalink
Post by Michael Mercier
Hello,
The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system.
ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16
The system was upgraded from 2.2
Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues.
ipa cert-request <csrfile>
principal: <hostname>
ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding Certificate Signing Request
I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on the request file.
I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists.
I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem?
Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so we
can know exactly where it failed and why.

rob
Dmitri Pal
2013-12-05 20:28:30 UTC
Permalink
Post by Rob Crittenden
Post by Michael Mercier
Hello,
The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night). DNS is integrated with the IPA system.
ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16
The system was upgraded from 2.2
Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.
Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
ipa cert-request <csrfile>
principal: <hostname>
ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request
I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.
I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers. All
systems were rebooted after the upgrade and the problem still exists.
I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error. Maybe I am experiencing the same problem?
Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.
rob
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Rob do we need a ticket for that?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Rob Crittenden
2013-12-05 20:41:05 UTC
Permalink
Post by Dmitri Pal
Post by Rob Crittenden
Post by Michael Mercier
Hello,
The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night). DNS is integrated with the IPA system.
ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16
The system was upgraded from 2.2
Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.
Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
ipa cert-request <csrfile>
principal: <hostname>
ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request
I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.
I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers. All
systems were rebooted after the upgrade and the problem still exists.
I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error. Maybe I am experiencing the same problem?
Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.
rob
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Rob do we need a ticket for that?
Already fixed in master and 3.3.3,
https://fedorahosted.org/freeipa/ticket/3988


rob
rob
Michael Mercier
2013-12-06 17:16:31 UTC
Permalink
Post by Michael Mercier
Hello,
The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system.
ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16
The system was upgraded from 2.2
Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues.
ipa cert-request <csrfile>
principal: <hostname>
ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding Certificate Signing Request
I have no issues running 'openssl req -text -noout -verify -in <csrfile>’ on the request file.
I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists.
I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem?
Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why.
Here is the exact message after applying the patch…

ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.

Note: I used java keytool to create the CSR, could that be the problem?

Thanks,
Mike
rob
Rob Crittenden
2013-12-06 18:39:51 UTC
Permalink
Post by Rob Crittenden
Post by Michael Mercier
Hello,
The IPA system consists of 3 servers running on fully patched CentOS
6.5 (updated Monday night). DNS is integrated with the IPA system.
ipa-*-3.0.0-37.
mod_nss-1.0.8-19
openssl-1.0.1e-16
The system was upgraded from 2.2
Yesterday, I revoked a certificate for an old system and signed a
certificate for the replacement system (same hostname) with no
apparent issues.
Today, I am attempting to sign a certificate for a new system and I
am seeing the following error from the command line (with debug=True
ipa cert-request <csrfile>
principal: <hostname>
ipa: ERROR: Certificate operation cannot be completed: Failure
decoding Certificate Signing Request
IPA ERROR 4310
Certificate operation cannot be completed: Failure decoding
Certificate Signing Request
I have no issues running 'openssl req -text -noout -verify -in
<csrfile>’ on the request file.
I did do a 'yum update’ on the system today (after experiencing the
errors), with openssl and mod_nss being upgraded on all servers. All
systems were rebooted after the upgrade and the problem still exists.
I did see an older thread with a similar issue, but that seemed to
involve updating expired certs and Rob did not seem to be able to
reproduce the error. Maybe I am experiencing the same problem?
Anyone have an idea where a good place to start looking is?
The Failure decoding is a duplicate error message in a couple of
different places. I'd recommend modifying it per the other thread so
we can know exactly where it failed and why.
Here is the exact message after applying the patch…
ipa: ERROR: Certificate operation cannot be completed: Failure decoding
Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security
library: improperly formatted DER-encoded message.
Note: I used java keytool to create the CSR, could that be the problem?
Possible I guess.

If you convert that to a DER (openssl can do this pretty easily) you can
try /usr/lib[64]/nss/unsupported/derdump -i /path/to/file. This may tell
you approximately where it is blowing up

rob

Loading...