<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anthony Cheng wrote:<br>
> OK so I made process on my cert renew issue; I was able to get kinit<br>
> working so I can follow the rest of the steps here<br>
> (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>)<br>
><br>
> However, after using<br>
><br>
> ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password<br>
><br>
> and restarting apache (/sbin/service httpd restart), resubmitting 3<br>
> certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)<br>
> (/sbin/service ipa restart), I still see:<br>
><br>
> [root@test ~]# ipa-getcert list | more<br>
> Number of certificates and requests being tracked: 8.<br>
> Request ID '20111214223243':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Server failed request, will retry: 4301 (RPC failed<br>
> at server. Certificate operation cannot be compl<br>
> eted: Unable to communicate with CMS (Not Found)).<br>
<br>
IPA proxies requests to the CA through Apache. This means that while<br>
tomcat started ok it didn't load the dogtag CA application, hence the<br>
Not Found.<br>
<br>
Check the CA debug and selftest logs to see why it failed to start properly.<br>
<br>
[ snip ]<br>
<br></blockquote></div><div dir="ltr"><div class="gmail_quote"><div>Actually after a reboot that error went away and I just get this error instead "ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be auth
enticated with known CA certificates)." from "getcert list" <br><br>Result of service ipa restart is interesting since it shows today's time when I already changed date/time/disable NTP so somehow the system still know today's time.<br><br>PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)<br></div></div></div><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Would really greatly appreciate any help on this.<br>
><br>
> Also I noticed after I do ldapmodify of usercertificate binary data with<br>
><br>
> add: usercertificate;binary<br>
> usercertificate;binary: !@#$@!#$#@$<br>
<br>
You really pasted in binary? Or was this base64-encoded data?<br>
<br>
I wonder if there is a problem in the wiki. If this is really a binary<br>
value you should start with a DER-encoded cert and load it using<br>
something like:<br>
<br>
dn: uid=ipara,ou=people,o=ipaca<br>
changetype: modify<br>
add: usercertificate;binary<br>
usercertificate;binary:< file:///path/to/cert.der<br>
<br>
You can use something like openssl x509 to switch between PEM and DER<br>
formats.<br>
<br>
I have a vague memory that dogtag can deal with a multi-valued<br>
usercertificate attribute.<br>
<br>
rob<br>
<br></blockquote><div><br></div></div></div><div dir="ltr"><div class="gmail_quote"><div>Yes the wiki stated binary, the result of:<br>ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b uid=ipara,ou=People,o=ipaca -W<br><br>shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...<br><br></div><div>But the actual data is from a PEM though.<br></div></div></div><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
><br>
> Then I re-run<br>
><br>
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca<br>
><br>
> I see 2 entries for usercertificate;binary (before modify there was only<br>
> 1) but they are duplicate and NOT from data that I added. That seems<br>
> incorrect to me.<br>
><br>
><br>
> On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng<br>
> <<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a> <mailto:<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a>>> wrote:<br>
><br>
> klist is actually empty; kinit admin fails. Sounds like then<br>
> getcert resubmit has a dependency on kerberoes. I can get a backup<br>
> image that has a valid ticket but it is only good for 1 day (and<br>
> dated pasted the cert expire).<br>
><br>
> Also I had asked awhile back about whether there is dependency on<br>
> DIRSRV to renew the cert; didn't get any response but I suspect<br>
> there is a dependency.<br>
><br>
> Regarding the clock skew, I found out from /var/log/message that<br>
> shows me this so it may be from named:<br>
><br>
> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock<br>
> skew too great)<br>
> Jan 28 14:10:42 test named[2911]: loading configuration: failure<br>
> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)<br>
> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS<br>
> failure. Minor code may provide more information (Creden<br>
> tials cache file '/tmp/krb5cc_496' not found)<br>
><br>
> I don't have a krb5cc_496 file (since klist is empty), so sounds to<br>
> me I need to get a kerberoes ticket before going any further. Also<br>
> is the file /etc/krb5.keytab access/modification time important? I<br>
> had changed time back to before the cert expiration date and reboot<br>
> and try renew but the error message about clock skew is still<br>
> there. That seems strange.<br>
><br>
> Lastly, as a absolute last resort, can I regenerate a new cert<br>
> myself?<br>
> <a href="https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html" rel="noreferrer" target="_blank">https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html</a><br>
><br>
> [root@test /]# klist<br>
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)<br>
> [root@test /]# service ipa start<br>
> Starting Directory Service<br>
> Starting dirsrv:<br>
> PKI-IPA... [ OK ]<br>
> sample-NET... [ OK ]<br>
> Starting KDC Service<br>
> Starting Kerberos 5 KDC: [ OK ]<br>
> Starting KPASSWD Service<br>
> Starting Kerberos 5 Admin Server: [ OK ]<br>
> Starting DNS Service<br>
> Starting named: [FAILED]<br>
> Failed to start DNS Service<br>
> Shutting down<br>
> Stopping Kerberos 5 KDC: [ OK ]<br>
> Stopping Kerberos 5 Admin Server: [ OK ]<br>
> Stopping named: [ OK ]<br>
> Stopping httpd: [ OK ]<br>
> Stopping pki-ca: [ OK ]<br>
> Shutting down dirsrv:<br>
> PKI-IPA... [ OK ]<br>
> sample-NET... [ OK ]<br>
> Aborting ipactl<br>
> [root@test /]# klist<br>
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)<br>
> [root@test /]# service ipa status<br>
> Directory Service: STOPPED<br>
> Failed to get list of services to probe status:<br>
> Directory Server is stopped<br>
><br>
> On Thu, Apr 28, 2016 at 3:21 AM David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a><br>
> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>> wrote:<br>
><br>
> On 27/04/16 21:54, Anthony Cheng wrote:<br>
> > Hi list,<br>
> ><br>
> > I am trying to renew expired certificates following the<br>
> manual renewal procedure<br>
> > here (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>)<br>
> but even with<br>
> > resetting the system/hardware clock to a time before expires,<br>
> I am getting the<br>
> > error "ca-error: Error setting up ccache for local "host"<br>
> service using default<br>
> > keytab: Clock skew too great."<br>
> ><br>
> > With NTP disable and clock reset why would it complain about<br>
> clock skew and how<br>
> > does it even know about the current time?<br>
> ><br>
> > [root@test certs]# getcert list<br>
> > Number of certificates and requests being tracked: 8.<br>
> > Request ID '20111214223243':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > Certificate DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:46 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20111214223300':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
> > DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:45 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20111214223316':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > Certificate DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:45 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130741':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=CA Audit,O=sample.NET<br>
> > expires: 2017-10-13 14:10:49 UTC<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "auditSigningCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130742':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=OCSP Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-OCSPSigning<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "ocspSigningCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130743':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=CA Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "subsystemCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130744':<br>
> > status: MONITORING<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate<br>
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=RA Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ra_cert<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130745':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes[root@test certs]# getcert list<br>
> > Number of certificates and requests being tracked: 8.<br>
> > Request ID '20111214223243':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > Certificate DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:46 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20111214223300':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
> > DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:45 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20111214223316':<br>
> > status: MONITORING<br>
> > ca-error: Error setting up ccache for local "host"<br>
> service using<br>
> > default keytab: Clock skew too great.<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > Certificate DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2016-01-29 14:09:45 UTC<br>
> > eku: id-kp-serverAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130741':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=CA Audit,O=sample.NET<br>
> > expires: 2017-10-13 14:10:49 UTC<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "auditSigningCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130742':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=OCSP Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-OCSPSigning<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "ocspSigningCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130743':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=CA Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > "subsystemCert cert-pki-ca"<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130744':<br>
> > status: MONITORING<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate<br>
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=RA Subsystem,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/renew_ra_cert<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > Request ID '20130519130745':<br>
> > status: NEED_CSR_GEN_PIN<br>
> > ca-error: Internal error: no response to<br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
> > stuck: yes<br>
> > key pair storage:<br>
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > '<br>
> > certificate:<br>
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > cert-pki-ca',token='NSS Certificate DB'<br>
> > CA: dogtag-ipa-renew-agent<br>
> > issuer: CN=Certificate Authority,O=sample.NET<br>
> > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > expires: 2017-10-13 14:09:49 UTC<br>
> > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> > track: yes<br>
> > auto-renew: yes<br>
> > --<br>
> ><br>
> > Thanks, Anthony<br>
> ><br>
> ><br>
> ><br>
><br>
> Hello Anthony!<br>
><br>
> After stopping NTP (or other time synchronizing service) and setting<br>
> time manually server really don't have a way to determine that<br>
> its time<br>
> differs from the real one.<br>
><br>
> I think this might be issue with Kerberos ticket. You can show<br>
> content<br>
> of root's ticket cache using klist. If there is anything clean<br>
> it with<br>
> kdestroy and try to resubmit the request again.<br>
><br>
> --<br>
> David Kupka<br>
><br>
> --<br>
><br>
> Thanks, Anthony<br>
><br>
> --<br>
><br>
> Thanks, Anthony<br>
><br>
><br>
><br>
<br>
</blockquote></div></div></div><div dir="ltr">-- <br></div><p dir="ltr">Thanks, Anthony</p>