[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Rob Crittenden
rcritten at redhat.com
Mon May 2 13:54:22 UTC 2016
Anthony Cheng wrote:
> On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Anthony Cheng wrote:
> > OK so I made process on my cert renew issue; I was able to get kinit
> > working so I can follow the rest of the steps here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> >
> > However, after using
> >
> > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
> password
> >
> > and restarting apache (/sbin/service httpd restart), resubmitting 3
> > certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
> -i <ID>)
> > (/sbin/service ipa restart), I still see:
> >
> > [root at test ~]# ipa-getcert list | more
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: 4301 (RPC
> failed
> > at server. Certificate operation cannot be compl
> > eted: Unable to communicate with CMS (Not Found)).
>
> IPA proxies requests to the CA through Apache. This means that while
> tomcat started ok it didn't load the dogtag CA application, hence the
> Not Found.
>
> Check the CA debug and selftest logs to see why it failed to start
> properly.
>
> [ snip ]
>
> Actually after a reboot that error went away and I just get this error
> instead "ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate cannot be
> auth enticated with known CA certificates)." from "getcert list"
>
> Result of service ipa restart is interesting since it shows today's time
> when I already changed date/time/disable NTP so somehow the system still
> know today's time.
>
> PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
>
> > Would really greatly appreciate any help on this.
> >
> > Also I noticed after I do ldapmodify of usercertificate binary
> data with
> >
> > add: usercertificate;binary
> > usercertificate;binary: !@#$@!#$#@$
>
> You really pasted in binary? Or was this base64-encoded data?
>
> I wonder if there is a problem in the wiki. If this is really a binary
> value you should start with a DER-encoded cert and load it using
> something like:
>
> dn: uid=ipara,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary:< file:///path/to/cert.der
>
> You can use something like openssl x509 to switch between PEM and DER
> formats.
>
> I have a vague memory that dogtag can deal with a multi-valued
> usercertificate attribute.
>
> rob
>
>
> Yes the wiki stated binary, the result of:
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
> uid=ipara,ou=People,o=ipaca -W
>
> shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
>
> But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
my entries look like:
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
>
> >
> > Then I re-run
> >
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
> -b uid=ipara,ou=People,o=ipaca
> >
> > I see 2 entries for usercertificate;binary (before modify there
> was only
> > 1) but they are duplicate and NOT from data that I added. That seems
> > incorrect to me.
> >
> >
> > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>
> <mailto:anthony.wan.cheng at gmail.com
> <mailto:anthony.wan.cheng at gmail.com>>> wrote:
> >
> > klist is actually empty; kinit admin fails. Sounds like then
> > getcert resubmit has a dependency on kerberoes. I can get a
> backup
> > image that has a valid ticket but it is only good for 1 day (and
> > dated pasted the cert expire).
> >
> > Also I had asked awhile back about whether there is dependency on
> > DIRSRV to renew the cert; didn't get any response but I suspect
> > there is a dependency.
> >
> > Regarding the clock skew, I found out from /var/log/message that
> > shows me this so it may be from named:
> >
> > Jan 28 14:10:42 test named[2911]: Failed to init credentials
> (Clock
> > skew too great)
> > Jan 28 14:10:42 test named[2911]: loading configuration: failure
> > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
> > failure. Minor code may provide more information (Creden
> > tials cache file '/tmp/krb5cc_496' not found)
> >
> > I don't have a krb5cc_496 file (since klist is empty), so
> sounds to
> > me I need to get a kerberoes ticket before going any
> further. Also
> > is the file /etc/krb5.keytab access/modification time
> important? I
> > had changed time back to before the cert expiration date and
> reboot
> > and try renew but the error message about clock skew is still
> > there. That seems strange.
> >
> > Lastly, as a absolute last resort, can I regenerate a new cert
> > myself?
> >
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> >
> > [root at test /]# klist
> > klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_0)
> > [root at test /]# service ipa start
> > Starting Directory Service
> > Starting dirsrv:
> > PKI-IPA...
> [ OK ]
> > sample-NET...
> [ OK ]
> > Starting KDC Service
> > Starting Kerberos 5 KDC: [
> OK ]
> > Starting KPASSWD Service
> > Starting Kerberos 5 Admin Server: [
> OK ]
> > Starting DNS Service
> > Starting named:
> [FAILED]
> > Failed to start DNS Service
> > Shutting down
> > Stopping Kerberos 5 KDC: [
> OK ]
> > Stopping Kerberos 5 Admin Server: [
> OK ]
> > Stopping named: [
> OK ]
> > Stopping httpd: [
> OK ]
> > Stopping pki-ca: [
> OK ]
> > Shutting down dirsrv:
> > PKI-IPA...
> [ OK ]
> > sample-NET...
> [ OK ]
> > Aborting ipactl
> > [root at test /]# klist
> > klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_0)
> > [root at test /]# service ipa status
> > Directory Service: STOPPED
> > Failed to get list of services to probe status:
> > Directory Server is stopped
> >
> > On Thu, Apr 28, 2016 at 3:21 AM David Kupka
> <dkupka at redhat.com <mailto:dkupka at redhat.com>
> > <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>> wrote:
> >
> > On 27/04/16 21:54, Anthony Cheng wrote:
> > > Hi list,
> > >
> > > I am trying to renew expired certificates following the
> > manual renewal procedure
> > > here
> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > but even with
> > > resetting the system/hardware clock to a time before
> expires,
> > I am getting the
> > > error "ca-error: Error setting up ccache for local "host"
> > service using default
> > > keytab: Clock skew too great."
> > >
> > > With NTP disable and clock reset why would it complain
> about
> > clock skew and how
> > > does it even know about the current time?
> > >
> > > [root at test certs]# getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:46 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223300':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223316':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130741':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Audit,O=sample.NET
> > > expires: 2017-10-13 14:10:49 UTC
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "auditSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130742':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=OCSP Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-OCSPSigning
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "ocspSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130743':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "subsystemCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130744':
> > > status: MONITORING
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=RA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130745':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes[root at test certs]# getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:46 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223300':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> > > DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20111214223316':
> > > status: MONITORING
> > > ca-error: Error setting up ccache for local
> "host"
> > service using
> > > default keytab: Clock skew too great.
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2016-01-29 14:09:45 UTC
> > > eku: id-kp-serverAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130741':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Audit,O=sample.NET
> > > expires: 2017-10-13 14:10:49 UTC
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "auditSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130742':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=OCSP Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-OCSPSigning
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "ocspSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130743':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=CA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > "subsystemCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130744':
> > > status: MONITORING
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=RA Subsystem,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20130519130745':
> > > status: NEED_CSR_GEN_PIN
> > > ca-error: Internal error: no response to
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > > stuck: yes
> > > key pair storage:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > > '
> > > certificate:
> > >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-renew-agent
> > > issuer: CN=Certificate Authority,O=sample.NET
> > > subject: CN=test.sample.net
> <http://test.sample.net> <http://test.sample.net>
> > <http://test.sample.net>,O=sample.NET
> > > expires: 2017-10-13 14:09:49 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > --
> > >
> > > Thanks, Anthony
> > >
> > >
> > >
> >
> > Hello Anthony!
> >
> > After stopping NTP (or other time synchronizing service)
> and setting
> > time manually server really don't have a way to determine
> that
> > its time
> > differs from the real one.
> >
> > I think this might be issue with Kerberos ticket. You can
> show
> > content
> > of root's ticket cache using klist. If there is anything
> clean
> > it with
> > kdestroy and try to resubmit the request again.
> >
> > --
> > David Kupka
> >
> > --
> >
> > Thanks, Anthony
> >
> > --
> >
> > Thanks, Anthony
> >
> >
> >
>
> --
>
> Thanks, Anthony
>
More information about the Freeipa-users
mailing list