[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng
anthony.wan.cheng at gmail.com
Fri Apr 29 22:34:37 UTC 2016
I make further progress, I managed to get it to be in NEED_TO_SUBMIT state
again after a reboot and this time klist and clock looks good. However
getting this error while restarting IPA,
Starting dirsrv:
PKI-IPA...[29/Apr/2016:21:41:48 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
The error time is different than the time I changed to; after search for
all files on the computer and found some files that has that time:
var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo
/var/tmp/DNS_25
I changed access time on them and restart and got the correct time in error
log:
Starting dirsrv:
PKI-IPA...[28/Sep/2014:14:58:15 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
[ OK ]
sample-NET...[28/Sep/2014:14:58:16 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
In looking at server cert, there is actually 2 and one is expired no matter
what time I set it to due to a time lapse between them; seems to indicate
that I need to remove one of them:
[root at test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep
'Issuer\|Not\|Subject\|Name'
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sun Aug 02 14:09:45 2015
Not After : Fri Jan 29 14:09:45 2016
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sat May 03 00:20:37 2014
Not After : Thu Oct 30 00:20:37 2014
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng <anthony.wan.cheng at gmail.com>
wrote:
> OK so I made process on my cert renew issue; I was able to get kinit
> working so I can follow the rest of the steps here (
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>
> However, after using
>
> ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
>
> and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
> (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
> (/sbin/service ipa restart), I still see:
>
> [root at test ~]# ipa-getcert list | more
>
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certific
>
> ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certificate D
> B'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:46 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
>
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinf
>
> ile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> Here are other relevant output:
>
> root at test ~]# /sbin/service ipa restart
> Restarting Directory Service
>
> Shutting down dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Starting dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Restarting KDC Service
>
> Stopping Kerberos 5 KDC: [ OK ]
> Starting Kerberos 5 KDC: [ OK ]
> Restarting KPASSWD Service
>
> Stopping Kerberos 5 Admin Server: [ OK ]
> Starting Kerberos 5 Admin Server: [ OK ]
> Restarting DNS Service
> Stopping named: . [ OK ]
> Starting named: [ OK ]
> Restarting MEMCACHE Service
> Stopping ipa_memcached: [ OK ]
> Starting ipa_memcached: [ OK ]
> Restarting HTTP Service
> Stopping httpd: [ OK ]
> Starting httpd: [ OK ]
> Restarting CA Service
> Stopping pki-ca: [ OK ]
> Starting pki-ca: [ OK ]
>
> [root at test ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: test at sample.NET
>
> Valid starting Expires Service principal
> 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample.NET at sample.NET
> 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample.net at sample.NET
>
> [root at test ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> [root at caer ~]# /sbin/service httpd restart
> Stopping httpd: [ OK ]
> Starting httpd: [ OK ]
>
>
> Would really greatly appreciate any help on this.
>
> Also I noticed after I do ldapmodify of usercertificate binary data with
>
> add: usercertificate;binary
> usercertificate;binary: !@#$@!#$#@$
>
> Then I re-run
>
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca
>
> I see 2 entries for usercertificate;binary (before modify there was only
> 1) but they are duplicate and NOT from data that I added. That seems
> incorrect to me.
>
>
> On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <anthony.wan.cheng at gmail.com>
> wrote:
>
>> klist is actually empty; kinit admin fails. Sounds like then getcert
>> resubmit has a dependency on kerberoes. I can get a backup image that has
>> a valid ticket but it is only good for 1 day (and dated pasted the cert
>> expire).
>>
>> Also I had asked awhile back about whether there is dependency on DIRSRV
>> to renew the cert; didn't get any response but I suspect there is a
>> dependency.
>>
>> Regarding the clock skew, I found out from /var/log/message that shows me
>> this so it may be from named:
>>
>> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
>> too great)
>> Jan 28 14:10:42 test named[2911]: loading configuration: failure
>> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
>> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
>> Minor code may provide more information (Creden
>> tials cache file '/tmp/krb5cc_496' not found)
>>
>> I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
>> need to get a kerberoes ticket before going any further. Also is the file
>> /etc/krb5.keytab access/modification time important? I had changed time
>> back to before the cert expiration date and reboot and try renew but the
>> error message about clock skew is still there. That seems strange.
>>
>> Lastly, as a absolute last resort, can I regenerate a new cert myself?
>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>>
>> [root at test /]# klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> [root at test /]# service ipa start
>> Starting Directory Service
>> Starting dirsrv:
>> PKI-IPA... [ OK ]
>> sample-NET... [ OK ]
>> Starting KDC Service
>> Starting Kerberos 5 KDC: [ OK ]
>> Starting KPASSWD Service
>> Starting Kerberos 5 Admin Server: [ OK ]
>> Starting DNS Service
>> Starting named: [FAILED]
>> Failed to start DNS Service
>> Shutting down
>> Stopping Kerberos 5 KDC: [ OK ]
>> Stopping Kerberos 5 Admin Server: [ OK ]
>> Stopping named: [ OK ]
>> Stopping httpd: [ OK ]
>> Stopping pki-ca: [ OK ]
>> Shutting down dirsrv:
>> PKI-IPA... [ OK ]
>> sample-NET... [ OK ]
>> Aborting ipactl
>> [root at test /]# klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> [root at test /]# service ipa status
>> Directory Service: STOPPED
>> Failed to get list of services to probe status:
>> Directory Server is stopped
>>
>> On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dkupka at redhat.com> wrote:
>>
>>> On 27/04/16 21:54, Anthony Cheng wrote:
>>> > Hi list,
>>> >
>>> > I am trying to renew expired certificates following the manual renewal
>>> procedure
>>> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
>>> even with
>>> > resetting the system/hardware clock to a time before expires, I am
>>> getting the
>>> > error "ca-error: Error setting up ccache for local "host" service
>>> using default
>>> > keytab: Clock skew too great."
>>> >
>>> > With NTP disable and clock reset why would it complain about clock
>>> skew and how
>>> > does it even know about the current time?
>>> >
>>> > [root at test certs]# getcert list
>>> > Number of certificates and requests being tracked: 8.
>>> > Request ID '20111214223243':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:46 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20111214223300':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>> Certificate
>>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>> Certificate
>>> > DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:45 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20111214223316':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:45 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130741':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=CA Audit,O=sample.NET
>>> > expires: 2017-10-13 14:10:49 UTC
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "auditSigningCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130742':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=OCSP Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-OCSPSigning
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "ocspSigningCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130743':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=CA Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "subsystemCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130744':
>>> > status: MONITORING
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>>> ".
>>> > stuck: no
>>> > key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate
>>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=RA Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130745':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes[root at test certs]# getcert list
>>> > Number of certificates and requests being tracked: 8.
>>> > Request ID '20111214223243':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:46 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20111214223300':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>> Certificate
>>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>> Certificate
>>> > DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:45 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20111214223316':
>>> > status: MONITORING
>>> > ca-error: Error setting up ccache for local "host" service
>>> using
>>> > default keytab: Clock skew too great.
>>> > stuck: no
>>> > key pair storage:
>>> >
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> >
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2016-01-29 14:09:45 UTC
>>> > eku: id-kp-serverAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130741':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=CA Audit,O=sample.NET
>>> > expires: 2017-10-13 14:10:49 UTC
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "auditSigningCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130742':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=OCSP Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-OCSPSigning
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "ocspSigningCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130743':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=CA Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> > "subsystemCert cert-pki-ca"
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130744':
>>> > status: MONITORING
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>>> ".
>>> > stuck: no
>>> > key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate
>>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=RA Subsystem,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> > track: yes
>>> > auto-renew: yes
>>> > Request ID '20130519130745':
>>> > status: NEED_CSR_GEN_PIN
>>> > ca-error: Internal error: no response to
>>> > "
>>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>>> ".
>>> > stuck: yes
>>> > key pair storage:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>>> > '
>>> > certificate:
>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> > cert-pki-ca',token='NSS Certificate DB'
>>> > CA: dogtag-ipa-renew-agent
>>> > issuer: CN=Certificate Authority,O=sample.NET
>>> > subject: CN=test.sample.net <http://test.sample.net
>>> >,O=sample.NET
>>> > expires: 2017-10-13 14:09:49 UTC
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command:
>>> > track: yes
>>> > auto-renew: yes
>>> > --
>>> >
>>> > Thanks, Anthony
>>> >
>>> >
>>> >
>>>
>>> Hello Anthony!
>>>
>>> After stopping NTP (or other time synchronizing service) and setting
>>> time manually server really don't have a way to determine that its time
>>> differs from the real one.
>>>
>>> I think this might be issue with Kerberos ticket. You can show content
>>> of root's ticket cache using klist. If there is anything clean it with
>>> kdestroy and try to resubmit the request again.
>>>
>>> --
>>> David Kupka
>>>
>> --
>>
>> Thanks, Anthony
>>
> --
>
> Thanks, Anthony
>
--
Thanks, Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/ca471b88/attachment.htm>
More information about the Freeipa-users
mailing list