[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng
anthony.wan.cheng at gmail.com
Thu Apr 28 13:20:52 UTC 2016
klist is actually empty; kinit admin fails. Sounds like then getcert
resubmit has a dependency on kerberoes. I can get a backup image that has
a valid ticket but it is only good for 1 day (and dated pasted the cert
expire).
Also I had asked awhile back about whether there is dependency on DIRSRV to
renew the cert; didn't get any response but I suspect there is a dependency.
Regarding the clock skew, I found out from /var/log/message that shows me
this so it may be from named:
Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
need to get a kerberoes ticket before going any further. Also is the file
/etc/krb5.keytab access/modification time important? I had changed time
back to before the cert expiration date and reboot and try renew but the
error message about clock skew is still there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
[root at test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root at test /]# service ipa start
Starting Directory Service
Starting dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
[root at test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root at test /]# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dkupka at redhat.com> wrote:
> On 27/04/16 21:54, Anthony Cheng wrote:
> > Hi list,
> >
> > I am trying to renew expired certificates following the manual renewal
> procedure
> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even
> with
> > resetting the system/hardware clock to a time before expires, I am
> getting the
> > error "ca-error: Error setting up ccache for local "host" service using
> default
> > keytab: Clock skew too great."
> >
> > With NTP disable and clock reset why would it complain about clock skew
> and how
> > does it even know about the current time?
> >
> > [root at test certs]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:46 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Audit,O=sample.NET
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=OCSP Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=RA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes[root at test certs]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:46 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Audit,O=sample.NET
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=OCSP Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=RA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net
> >,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > --
> >
> > Thanks, Anthony
> >
> >
> >
>
> Hello Anthony!
>
> After stopping NTP (or other time synchronizing service) and setting
> time manually server really don't have a way to determine that its time
> differs from the real one.
>
> I think this might be issue with Kerberos ticket. You can show content
> of root's ticket cache using klist. If there is anything clean it with
> kdestroy and try to resubmit the request again.
>
> --
> David Kupka
>
--
Thanks, Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160428/920d1529/attachment.htm>
More information about the Freeipa-users
mailing list