certmonger

#302 certmonger is repeatedly requesting certificates from IPA
Opened by mrd000. Modified

Open
Close Issue

We've seen many cases over several years of certmonger starting to repeatedly (every second) requesting certificates even though the certificate was issued on the first request.
Overall, we saw 600k certificates created that way.
The request is always in the "SUBMITTING" state. We did some investigation and found that, in the last instance, every time the certificate is "issued by CA and saved", there is an error:
Unable to initialize NSS PR_LOAD_LIBRARY_ERROR

The cert isn't being saved because of the error so certmonger is treating it as a "ready to renew" still.
PR_LOAD_LIBRARY_ERROR I think can only come from loading the freebl shared library. I'm not sure what conditions would cause that.
You could try brute force, start certmonger, attach strace -f to the pid and capture the output for at least one full run. I'd think that the library load issue would be in the output.
What distribution is this?

RedHat.
It's not easy to repeat, I think it happens when a library is updated, but certmonger is not restarted.
In any case, there seems to be a flaw in the code that ignores subprocess errors. I've created a PR for this #303.
Metadata
None
None
None
None
None
Related Pull Requests
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.