<div dir="ltr"><div><div><div>OK so I made process on my cert renew issue; I was able to get kinit working so I can follow the rest of the steps here (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>) </div><div>However, after using <pre>ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password </pre><pre></pre></div>and restarting apache (/sbin/service httpd restart), resubmitting 3 certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>) (/sbin/service ipa restart), I still see: [root@test ~]# ipa-getcert list | more Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certific ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate D B' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinf ile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes </div> </div>Here are other relevant output: <div> root@test ~]# /sbin/service ipa restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root@test ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@sample.NET Valid starting Expires Service principal 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample.NET@sample.NET 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample.net@sample.NET [root@test ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root@caer ~]# /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] Would really greatly appreciate any help on this. </div><div>Also I noticed after I do ldapmodify of usercertificate binary data with <pre>add: usercertificate;binary usercertificate;binary: !@#$@!#$#@$ </pre></div><div>Then I re-run <pre>ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca </pre></div><div>I see 2 entries for usercertificate;binary (before modify there was only 1) but they are duplicate and NOT from data that I added. That seems incorrect to me. </div><div><div><pre></pre></div></div> <div class="gmail_quote"><div dir="ltr">On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <<a href="mailto:anthony.wan.cheng@gmail.com">anthony.wan.cheng@gmail.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>klist is actually empty; kinit admin fails. Sounds like then getcert resubmit has a dependency on kerberoes. I can get a backup image that has a valid ticket but it is only good for 1 day (and dated pasted the cert expire). </div>Also I had asked awhile back about whether there is dependency on DIRSRV to renew the cert; didn't get any response but I suspect there is a dependency. </div>Regarding the clock skew, I found out from /var/log/message that shows me this so it may be from named: Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew too great) Jan 28 14:10:42 test named[2911]: loading configuration: failure Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Creden tials cache file '/tmp/krb5cc_496' not found) I don't have a krb5cc_496 file (since klist is empty), so sounds to me I need to get a kerberoes ticket before going any further. Also is the file /etc/krb5.keytab access/modification time important? I had changed time back to before the cert expiration date and reboot and try renew but the error message about clock skew is still there. That seems strange. <div><div> </div><div>Lastly, as a absolute last resort, can I regenerate a new cert myself? <a href="https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html" target="_blank">https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html</a> </div><div> [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting DNS Service Starting named: [FAILED] Failed to start DNS Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping named: [ OK ] Stopping httpd: [ OK ] Stopping pki-ca: [ OK ] Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Aborting ipactl [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped </div></div></div> <div class="gmail_quote"><div dir="ltr">On Thu, Apr 28, 2016 at 3:21 AM David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 27/04/16 21:54, Anthony Cheng wrote: > Hi list, > > I am trying to renew expired certificates following the manual renewal procedure > here (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>) but even with > resetting the system/hardware clock to a time before expires, I am getting the > error "ca-error: Error setting up ccache for local "host" service using default > keytab: Clock skew too great." > > With NTP disable and clock reset why would it complain about clock skew and how > does it even know about the current time? > > [root@test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes[root@test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > -- > > Thanks, Anthony > > > Hello Anthony! After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one. I think this might be issue with Kerberos ticket. You can show content of root's ticket cache using klist. If there is anything clean it with kdestroy and try to resubmit the request again. -- David Kupka </blockquote></div><div dir="ltr">-- </div>Thanks, Anthony </blockquote></div></div><div dir="ltr">-- </div>Thanks, Anthony