[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng
anthony.wan.cheng at gmail.com
Mon May 2 21:35:57 UTC 2016
On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcritten at redhat.com> wrote:
> Anthony Cheng wrote:
> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > Anthony Cheng wrote:
> > > OK so I made process on my cert renew issue; I was able to get
> kinit
> > > working so I can follow the rest of the steps here
> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > >
> > > However, after using
> > >
> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
> > password
> > >
> > > and restarting apache (/sbin/service httpd restart), resubmitting
> 3
> > > certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
> > -i <ID>)
> > > (/sbin/service ipa restart), I still see:
> > >
> > > [root at test ~]# ipa-getcert list | more
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: 4301 (RPC
> > failed
> > > at server. Certificate operation cannot be compl
> > > eted: Unable to communicate with CMS (Not Found)).
> >
> > IPA proxies requests to the CA through Apache. This means that while
> > tomcat started ok it didn't load the dogtag CA application, hence the
> > Not Found.
> >
> > Check the CA debug and selftest logs to see why it failed to start
> > properly.
> >
> > [ snip ]
> >
> > Actually after a reboot that error went away and I just get this error
> > instead "ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction. Peer certificate cannot be
> > auth enticated with known CA certificates)." from "getcert list"
> >
> > Result of service ipa restart is interesting since it shows today's time
> > when I already changed date/time/disable NTP so somehow the system still
> > know today's time.
> >
> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
>
> Hard to say. I'd confirm that there is no time syncing service running,
> ntp or otherwise.
>
>
I found out why the time kept changing; it was due to the fact that it has
VM tools installed (i didn't configure this box) so it automatically sync
time during bootup.
I did still see this error message:
ca-error: Server failed request, will retry: 4301 (RPC failed at server.
Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept the 1st
one) but still getting same error
What exactly is CMS and why is it not found?
I did notice that the selftest log is empty with a different time:
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log
[root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
Here are some debug log after reboot:
[root at test pki-ca]# tail -n 100 catalina.out
INFO: JK: ajp13 listening on /0.0.0.0:9447
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23 config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named [Timer-0]
but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type
[java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9])
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type
[java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9])
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40 config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[root at test pki-ca]# tail -n 100 debug
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default
Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied
Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension
Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Certificate
Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy
Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension
Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension Default
Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key
Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy noDefaultImpl No
Default No Default com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy imageDefaultImpl
Image Default Image Default com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default
Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy
Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User Supplied
Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token
Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied
Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject
Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit
Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default
com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default Name
Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem
Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>
> > > Would really greatly appreciate any help on this.
> > >
> > > Also I noticed after I do ldapmodify of usercertificate binary
> > data with
> > >
> > > add: usercertificate;binary
> > > usercertificate;binary: !@#$@!#$#@$
> >
> > You really pasted in binary? Or was this base64-encoded data?
> >
> > I wonder if there is a problem in the wiki. If this is really a
> binary
> > value you should start with a DER-encoded cert and load it using
> > something like:
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > changetype: modify
> > add: usercertificate;binary
> > usercertificate;binary:< file:///path/to/cert.der
> >
> > You can use something like openssl x509 to switch between PEM and DER
> > formats.
> >
> > I have a vague memory that dogtag can deal with a multi-valued
> > usercertificate attribute.
> >
> > rob
> >
> >
> > Yes the wiki stated binary, the result of:
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
> > uid=ipara,ou=People,o=ipaca -W
> >
> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
> >
> > But the actual data is from a PEM though.
>
> Ok. So I looked at my CA data and it doesn't use the binary subtype, so
> my entries look like:
>
> userCertificate:: MIID....
>
> It might make a difference if dogtag is looking for the subtype or not.
>
> rob
>
> >
> > >
> > > Then I re-run
> > >
> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
> > -b uid=ipara,ou=People,o=ipaca
> > >
> > > I see 2 entries for usercertificate;binary (before modify there
> > was only
> > > 1) but they are duplicate and NOT from data that I added. That
> seems
> > > incorrect to me.
> > >
> > >
> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > > <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>
> > <mailto:anthony.wan.cheng at gmail.com
> > <mailto:anthony.wan.cheng at gmail.com>>> wrote:
> > >
> > > klist is actually empty; kinit admin fails. Sounds like then
> > > getcert resubmit has a dependency on kerberoes. I can get a
> > backup
> > > image that has a valid ticket but it is only good for 1 day
> (and
> > > dated pasted the cert expire).
> > >
> > > Also I had asked awhile back about whether there is
> dependency on
> > > DIRSRV to renew the cert; didn't get any response but I
> suspect
> > > there is a dependency.
> > >
> > > Regarding the clock skew, I found out from /var/log/message
> that
> > > shows me this so it may be from named:
> > >
> > > Jan 28 14:10:42 test named[2911]: Failed to init credentials
> > (Clock
> > > skew too great)
> > > Jan 28 14:10:42 test named[2911]: loading configuration:
> failure
> > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
> > > failure. Minor code may provide more information (Creden
> > > tials cache file '/tmp/krb5cc_496' not found)
> > >
> > > I don't have a krb5cc_496 file (since klist is empty), so
> > sounds to
> > > me I need to get a kerberoes ticket before going any
> > further. Also
> > > is the file /etc/krb5.keytab access/modification time
> > important? I
> > > had changed time back to before the cert expiration date and
> > reboot
> > > and try renew but the error message about clock skew is still
> > > there. That seems strange.
> > >
> > > Lastly, as a absolute last resort, can I regenerate a new cert
> > > myself?
> > >
> >
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> > >
> > > [root at test /]# klist
> > > klist: No credentials cache found (ticket cache
> > FILE:/tmp/krb5cc_0)
> > > [root at test /]# service ipa start
> > > Starting Directory Service
> > > Starting dirsrv:
> > > PKI-IPA...
> > [ OK ]
> > > sample-NET...
> > [ OK ]
> > > Starting KDC Service
> > > Starting Kerberos 5 KDC: [
> > OK ]
> > > Starting KPASSWD Service
> > > Starting Kerberos 5 Admin Server: [
> > OK ]
> > > Starting DNS Service
> > > Starting named:
> > [FAILED]
> > > Failed to start DNS Service
> > > Shutting down
> > > Stopping Kerberos 5 KDC: [
> > OK ]
> > > Stopping Kerberos 5 Admin Server: [
> > OK ]
> > > Stopping named: [
> > OK ]
> > > Stopping httpd: [
> > OK ]
> > > Stopping pki-ca: [
> > OK ]
> > > Shutting down dirsrv:
> > > PKI-IPA...
> > [ OK ]
> > > sample-NET...
> > [ OK ]
> > > Aborting ipactl
> > > [root at test /]# klist
> > > klist: No credentials cache found (ticket cache
> > FILE:/tmp/krb5cc_0)
> > > [root at test /]# service ipa status
> > > Directory Service: STOPPED
> > > Failed to get list of services to probe status:
> > > Directory Server is stopped
> > >
> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka
> > <dkupka at redhat.com <mailto:dkupka at redhat.com>
> > > <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>> wrote:
> > >
> > > On 27/04/16 21:54, Anthony Cheng wrote:
> > > > Hi list,
> > > >
> > > > I am trying to renew expired certificates following the
> > > manual renewal procedure
> > > > here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > > but even with
> > > > resetting the system/hardware clock to a time before
> > expires,
> > > I am getting the
> > > > error "ca-error: Error setting up ccache for local
> "host"
> > > service using default
> > > > keytab: Clock skew too great."
> > > >
> > > > With NTP disable and clock reset why would it complain
> > about
> > > clock skew and how
> > > > does it even know about the current time?
> > > >
> > > > [root at test certs]# getcert list
> > > > Number of certificates and requests being tracked: 8.
> > > > Request ID '20111214223243':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:46 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223300':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223316':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130741':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=CA Audit,O=sample.NET
> > > > expires: 2017-10-13 14:10:49 UTC
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "auditSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130742':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=OCSP Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-OCSPSigning
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "ocspSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130743':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=CA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "subsystemCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130744':
> > > > status: MONITORING
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=RA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130745':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes[root at test certs]# getcert
> list
> > > > Number of certificates and requests being tracked: 8.
> > > > Request ID '20111214223243':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:46 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223300':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223316':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130741':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=CA Audit,O=sample.NET
> > > > expires: 2017-10-13 14:10:49 UTC
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "auditSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130742':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=OCSP Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-OCSPSigning
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "ocspSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130743':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=CA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "subsystemCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130744':
> > > > status: MONITORING
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=RA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130745':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no response to
> > > >
> > >
> > "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > --
> > > >
> > > > Thanks, Anthony
> > > >
> > > >
> > > >
> > >
> > > Hello Anthony!
> > >
> > > After stopping NTP (or other time synchronizing service)
> > and setting
> > > time manually server really don't have a way to determine
> > that
> > > its time
> > > differs from the real one.
> > >
> > > I think this might be issue with Kerberos ticket. You can
> > show
> > > content
> > > of root's ticket cache using klist. If there is anything
> > clean
> > > it with
> > > kdestroy and try to resubmit the request again.
> > >
> > > --
> > > David Kupka
> > >
> > > --
> > >
> > > Thanks, Anthony
> > >
> > > --
> > >
> > > Thanks, Anthony
> > >
> > >
> > >
> >
> > --
> >
> > Thanks, Anthony
> >
>
> --
Thanks, Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160502/c3bd2a11/attachment.htm>
More information about the Freeipa-users
mailing list