[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng
anthony.wan.cheng at gmail.com
Mon May 2 13:07:20 UTC 2016
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <rcritten at redhat.com> wrote:
> Anthony Cheng wrote:
> > OK so I made process on my cert renew issue; I was able to get kinit
> > working so I can follow the rest of the steps here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> >
> > However, after using
> >
> > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
> >
> > and restarting apache (/sbin/service httpd restart), resubmitting 3
> > certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i
> <ID>)
> > (/sbin/service ipa restart), I still see:
> >
> > [root at test ~]# ipa-getcert list | more
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: 4301 (RPC failed
> > at server. Certificate operation cannot be compl
> > eted: Unable to communicate with CMS (Not Found)).
>
> IPA proxies requests to the CA through Apache. This means that while
> tomcat started ok it didn't load the dogtag CA application, hence the
> Not Found.
>
> Check the CA debug and selftest logs to see why it failed to start
> properly.
>
> [ snip ]
>
> Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be auth
enticated with known CA certificates)." from "getcert list"
Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.
PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
> > Would really greatly appreciate any help on this.
> >
> > Also I noticed after I do ldapmodify of usercertificate binary data with
> >
> > add: usercertificate;binary
> > usercertificate;binary: !@#$@!#$#@$
>
> You really pasted in binary? Or was this base64-encoded data?
>
> I wonder if there is a problem in the wiki. If this is really a binary
> value you should start with a DER-encoded cert and load it using
> something like:
>
> dn: uid=ipara,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary:< file:///path/to/cert.der
>
> You can use something like openssl x509 to switch between PEM and DER
> formats.
>
> I have a vague memory that dogtag can deal with a multi-valued
> usercertificate attribute.
>
> rob
>
>
Yes the wiki stated binary, the result of:
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
> >
> > Then I re-run
> >
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
> uid=ipara,ou=People,o=ipaca
> >
> > I see 2 entries for usercertificate;binary (before modify there was only
> > 1) but they are duplicate and NOT from data that I added. That seems
> > incorrect to me.
> >
> >
> > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>>
> wrote:
> >
> > klist is actually empty; kinit admin fails. Sounds like then
> > getcert resubmit has a dependency on kerberoes. I can get a backup
> > image that has a valid ticket but it is only good for 1 day (and
> > dated pasted the cert expire).
> >
> > Also I had asked awhile back about whether there is dependency on
> > DIRSRV to renew the cert; didn't get any response but I suspect
> > there is a dependency.
> >
> > Regarding the clock skew, I found out from /var/log/message that
> > shows me this so it may be from named:
> >
> > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
> > skew too great)
> > Jan 28 14:10:42 test named[2911]: loading configuration: failure
> > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
> > failure. Minor code may provide more information (Creden
> > tials cache file '/tmp/krb5cc_496' not found)
> >
> > I don't have a krb5cc_496 file (since klist is empty), so sounds to
> > me I need to get a kerberoes ticket before going any further. Also
> > is the file /etc/krb5.keytab access/modification time important? I
> > had changed time back to before the cert expiration date and reboot
> > and try renew but the error message about clock skew is still
> > there. That seems strange.
> >
> > Lastly, as a absolute last resort, can I regenerate a new cert
> > myself?
> >
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> >
> > [root at test /]# klist
> > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> > [root at test /]# service ipa start
> > Starting Directory Service
> > Starting dirsrv:
> > PKI-IPA... [ OK ]
> > sample-NET... [ OK ]
> > Starting KDC Service
> > Starting Kerberos 5 KDC: [ OK ]
> > Starting KPASSWD Service
> > Starting Kerberos 5 Admin Server: [ OK ]
> > Starting DNS Service
> > Starting named: [FAILED]
> > Failed to start DNS Service
> > Shutting down
> > Stopping Kerberos 5 KDC: [ OK ]
> > Stopping Kerberos 5 Admin Server: [ OK ]
> > Stopping named: [ OK ]
> > Stopping httpd: [ OK ]
> > Stopping pki-ca: [ OK ]
> > Shutting down dirsrv:
> > PKI-IPA... [ OK ]
> > sample-NET... [ OK ]
> > Aborting ipactl
> > [root at test /]# klist
> > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> > [root at test /]# service ipa status
> > Directory Service: STOPPED
> > Failed to get list of services to probe status:
> > Directory Server is stopped
> >
> > On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dkupka at redhat.com
> > <mailto:dkupka at redhat.com>> wrote:
> >
> > On 27/04/16 21:54, Anthony Cheng wrote:
> > > Hi list,
> > >
> > > I am trying to renew expired certificates following the
> > manual renewal procedure
> > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > but even with
> > > resetting the system/hardware clock to a time before expires,
> > I am getting the
> > > error "ca-error: Error setting up ccache for local "host"
> > service using default
> > > keytab: Clock skew too great."
> > >
> > > With NTP disable and clock reset why would it complain about
> > clock skew and how
> > > does it even know about the current time?
> > >
> > > [root at test certs]# getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:46 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223300':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223316':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130741':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Audit,O=sample.NET
> > > expires: 2017-10-13 14:10:49 UTC
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "auditSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130742':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=OCSP Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-OCSPSigning
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "ocspSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130743':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "subsystemCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130744':
> > > status: MONITORING
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=RA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130745':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes[root at test certs]# getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:46 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223300':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223316':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130741':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Audit,O=sample.NET
> > > expires: 2017-10-13 14:10:49 UTC
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "auditSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130742':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=OCSP Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-OCSPSigning
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "ocspSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130743':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "subsystemCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130744':
> > > status: MONITORING
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=RA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130745':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > > stuck: yes
> > > key pair storage:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > --
> > >
> > > Thanks, Anthony
> > >
> > >
> > >
> >
> > Hello Anthony!
> >
> > After stopping NTP (or other time synchronizing service) and
> setting
> > time manually server really don't have a way to determine that
> > its time
> > differs from the real one.
> >
> > I think this might be issue with Kerberos ticket. You can show
> > content
> > of root's ticket cache using klist. If there is anything clean
> > it with
> > kdestroy and try to resubmit the request again.
> >
> > --
> > David Kupka
> >
> > --
> >
> > Thanks, Anthony
> >
> > --
> >
> > Thanks, Anthony
> >
> >
> >
>
> --
Thanks, Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160502/ccff567b/attachment.htm>
More information about the Freeipa-users
mailing list