[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Rob Crittenden
rcritten at redhat.com
Wed May 4 13:07:08 UTC 2016
Anthony Cheng wrote:
> Small update, I found an article on the RH solution library
> (https://access.redhat.com/solutions/2020223) that has the same error
> code that I am getting and I followed the steps with certutil to update
> the cert attributes but it is still not working. The article is listed
> as "Solution in Progress".
>
> [root at test ~]# getcert list | more
>
> Number of certificates and requests being tracked: 7.
>
> Request ID '20111214223243':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.Certificate operation cannot be comp
>
> leted: Unable to communicate with CMS (Not Found)).
Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.
rob
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
> Certifi
>
> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
> Certificate
>
> DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
>
> subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
> <http://SAMPLE.NET>
>
> expires: 2016-01-29 14:09:46 UTC
>
> eku: id-kp-serverAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
>
>
> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
> <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>> wrote:
>
> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Anthony Cheng wrote:
> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> >
> > Anthony Cheng wrote:
> > > OK so I made process on my cert renew issue; I was
> able to get kinit
> > > working so I can follow the rest of the steps here
> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > >
> > > However, after using
> > >
> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
> manager' -w
> > password
> > >
> > > and restarting apache (/sbin/service httpd restart),
> resubmitting 3
> > > certs (ipa-getcert resubmit -i <ID>) and restarting
> IPA (resubmit
> > -i <ID>)
> > > (/sbin/service ipa restart), I still see:
> > >
> > > [root at test ~]# ipa-getcert list | more
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20111214223243':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry:
> 4301 (RPC
> > failed
> > > at server. Certificate operation cannot be compl
> > > eted: Unable to communicate with CMS (Not Found)).
> >
> > IPA proxies requests to the CA through Apache. This means
> that while
> > tomcat started ok it didn't load the dogtag CA
> application, hence the
> > Not Found.
> >
> > Check the CA debug and selftest logs to see why it failed
> to start
> > properly.
> >
> > [ snip ]
> >
> > Actually after a reboot that error went away and I just get
> this error
> > instead "ca-error: Server failed request, will retry: -504
> (libcurl
> > failed to execute the HTTP POST transaction. Peer certificate
> cannot be
> > auth enticated with known CA certificates)." from "getcert list"
> >
> > Result of service ipa restart is interesting since it shows
> today's time
> > when I already changed date/time/disable NTP so somehow the
> system still
> > know today's time.
> >
> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config
> (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
>
> Hard to say. I'd confirm that there is no time syncing service
> running,
> ntp or otherwise.
>
>
> I found out why the time kept changing; it was due to the fact that
> it has VM tools installed (i didn't configure this box) so it
> automatically sync time during bootup.
>
> I did still see this error message:
>
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found))
>
> I tried the step http://www.freeipa.org/page/Troubleshooting with
>
> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
> openssl x509 -text -in /tmp/ra.crt
> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
> service httpd restart
>
> So that I can get rid of one of the CA cert that is expired (kept
> the 1st one) but still getting same error
>
> What exactly is CMS and why is it not found?
>
>
> I did notice that the selftest log is empty with a different time:
>
> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
> /var/log/pki-ca/selftests.log
>
> [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
>
>
> Here are some debug log after reboot:
>
> [root at test pki-ca]# tail -n 100 catalina.out
>
> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>
> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
>
> INFO: Jk running ID=0 time=1/23config=null
>
> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
>
> INFO: Server startup in 1722 ms
>
> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>
> INFO: Pausing Coyote HTTP/1.1 on http-9180
>
> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>
> INFO: Pausing Coyote HTTP/1.1 on http-9443
>
> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>
> INFO: Pausing Coyote HTTP/1.1 on http-9445
>
> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>
> INFO: Pausing Coyote HTTP/1.1 on http-9444
>
> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>
> INFO: Pausing Coyote HTTP/1.1 on http-9446
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
>
> INFO: Stopping service Catalina
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [Timer-0] but has failed to stop it. This is very like
>
> ly to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
>
> t has failed to stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
>
> but has failed to stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/system.flush-6] but has failed t
>
> o stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/system.rollover-8] but has faile
>
> d to stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa
>
> iled to stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha
>
> s failed to stop it. This is very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [LDAPConnThread-2 ldap://test.sample.net:7389
> <http://test.sample.net:7389>] but has failed to stop it. This is
> very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [LDAPConnThread-3 ldap://test.sample.net:7389
> <http://test.sample.net:7389>] but has failed to stop it. This is
> very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearReferencesThreads
>
> SEVERE: A web application appears to have started a thread named
> [LDAPConnThread-4 ldap://test.sample.net:7389
> <http://test.sample.net:7389>] but has failed to stop it. This is
> very likely to create a memory leak.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearThreadLocalMap
>
> SEVERE: A web application created a ThreadLocal with key of type
> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a
> value of type [java.text.SimpleDateFormat] (value
> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
> the web application was stopped. To prevent a memory leak, the
> ThreadLocal has been forcibly removed.
>
> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
> clearThreadLocalMap
>
> SEVERE: A web application created a ThreadLocal with key of type
> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a
> value of type [java.text.SimpleDateFormat] (value
> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
> the web application was stopped. To prevent a memory leak, the
> ThreadLocal has been forcibly removed.
>
> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
>
> INFO: Stopping Coyote HTTP/1.1 on http-9180
>
> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
>
> INFO: Stopping Coyote HTTP/1.1 on http-9443
>
> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
>
> INFO: Stopping Coyote HTTP/1.1 on http-9445
>
> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
>
> INFO: Stopping Coyote HTTP/1.1 on http-9444
>
> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
>
> INFO: Stopping Coyote HTTP/1.1 on http-9446
>
> Jan 27, 2016 2:57:36 PM
> org.apache.catalina.core.AprLifecycleListener init
>
> INFO: The APR based Apache Tomcat Native library which allows
> optimal performance in production environments was not found on the
> java.library.path:
> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
>
> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-9180
>
> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-9443
>
> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-9445
>
> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-9444
>
> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
> unsupported by NSS. This is probably O.K. unless ECC support has
> been installed.
>
> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-9446
>
> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
>
> INFO: Initialization processed in 2198 ms
>
> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
>
> INFO: Starting service Catalina
>
> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
>
> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
>
> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
> deployDirectory
>
> INFO: Deploying web application directory ROOT
>
> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
> deployDirectory
>
> INFO: Deploying web application directory ca
>
> 64-bit osutil library loaded
>
> 64-bit osutil library loaded
>
> Certificate object not found
>
> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-9180
>
> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-9443
>
> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-9445
>
> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-9444
>
> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-9446
>
> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
>
> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>
> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
>
> INFO: Jk running ID=0 time=0/40config=null
>
> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
>
> INFO: Server startup in 2592 ms
>
> [root at test pki-ca]# tail -n 100 debug
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> subjectAltNameExtDefaultImpl Subject Alternative Name Extension
> Default Subject Alternative Name Extension Default
> com.netscape.cms.profile.def.SubjectAltNameExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> userValidityDefaultImpl User Supplied Validity Default User Supplied
> Validity Default com.netscape.cms.profile.def.UserValidityDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> userSubjectNameDefaultImpl User Supplied Subject Name Default User
> Supplied Subject Name Default
> com.netscape.cms.profile.def.UserSubjectNameDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> subjectDirAttributesExtDefaultImpl Subject Directory Attributes
> Extension Default Subject Directory Attributes Extension Default
> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> certificateVersionDefaultImpl Certificate Version Default
> Certificate Version Default
> com.netscape.cms.profile.def.CertificateVersionDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
> Extended Key Usage Extension Default
> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> policyConstraintsExtDefaultImpl Policy Constraints Extension Default
> Policy Constraints Extension Default
> com.netscape.cms.profile.def.PolicyConstraintsExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> crlDistributionPointsExtDefaultImpl CRL Distribution Points
> Extension Default CRL Distribution Points Extension Default
> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> certificatePoliciesExtDefaultImpl Certificate Policies Extension
> Default Certificate Policies Extension Default
> com.netscape.cms.profile.def.CertificatePoliciesExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> validityDefaultImpl Validity Default Validty Default
> com.netscape.cms.profile.def.ValidityDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
> Private Key Period Ext Default
> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> noDefaultImpl No Default No Default
> com.netscape.cms.profile.def.NoDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> imageDefaultImpl Image Default Image Default
> com.netscape.cms.profile.def.ImageDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> subjectInfoAccessExtDefaultImpl Subject Info Access Extension
> Default Subject Info Access Extension Default
> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> autoAssignDefaultImpl Auto Request Assignment Default Auto Request
> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> policyMappingsExtDefaultImpl Policy Mappings Extension Default
> Policy Mappings Extension Default
> com.netscape.cms.profile.def.PolicyMappingsExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> caValidityDefaultImpl CA Certificate Validity Default CA Certificate
> Validty Default com.netscape.cms.profile.def.CAValidityDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> userExtensionDefaultImpl User Supplied Extension Default User
> Supplied Extension Default
> com.netscape.cms.profile.def.UserExtensionDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
> Netscape Certificate Type Extension Default
> com.netscape.cms.profile.def.NSCertTypeExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
> Token Supplied Subject Name Default
> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> subjectNameDefaultImpl Subject Name Default Subject Name Default
> com.netscape.cms.profile.def.SubjectNameDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> userSigningAlgDefaultImpl User Supplied Signing Alg Default User
> Supplied Signing Alg Default
> com.netscape.cms.profile.def.UserSigningAlgDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
> Subject Key Identifier Default
> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
> Inhibit Any-Policy Extension Default
> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> nsTokenDeviceKeySubjectNameDefaultImpl
> nsTokenDeviceKeySubjectNameDefault
> nsTokenDeviceKeySubjectNameDefaultImpl
> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
> Comment Extension Default
> com.netscape.cms.profile.def.NSCCommentExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
> Default com.netscape.cms.profile.def.SigningAlgDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
> nameConstraintsExtDefaultImpl Name Constraints Extension Default
> Name Constraints Extension Default
> com.netscape.cms.profile.def.NameConstraintsExtDefault
>
> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater
> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
>
> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
>
> [27/Jan/2016:15:30:43][main]: CertificateAuthority init
>
> [27/Jan/2016:15:30:43][main]: Cert Repot inited
>
> [27/Jan/2016:15:30:43][main]: CRL Repot inited
>
> [27/Jan/2016:15:30:43][main]: Replica Repot inited
>
> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
> caSigningCert cert-pki-ca
>
> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
> by name
>
> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
> cert-pki-ca' with serial number: 1
>
> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl
>
> [27/Jan/2016:15:30:43][main]: Got private key from cert
>
> [27/Jan/2016:15:30:43][main]: Got public key from cert
>
> [27/Jan/2016:15:30:43][main]: got signing algorithm
> RSASignatureWithSHA256Digest
>
> [27/Jan/2016:15:30:43][main]: CA signing unit inited
>
> [27/Jan/2016:15:30:43][main]: cachainNum= 0
>
> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
>
> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
> ca.ocsp_signing.cert
>
> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
> by name
>
> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
>
> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
>
> Certificate object not found
>
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>
> at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>
> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>
> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>
> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>
> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>
> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>
> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>
> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:616)
>
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>
> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>
>
>
>
> >
>
> > > Would really greatly appreciate any help on this.
> > >
> > > Also I noticed after I do ldapmodify of
> usercertificate binary
> > data with
> > >
> > > add: usercertificate;binary
> > > usercertificate;binary: !@#$@!#$#@$
> >
> > You really pasted in binary? Or was this base64-encoded data?
> >
> > I wonder if there is a problem in the wiki. If this is
> really a binary
> > value you should start with a DER-encoded cert and load
> it using
> > something like:
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > changetype: modify
> > add: usercertificate;binary
> > usercertificate;binary:< file:///path/to/cert.der
> >
> > You can use something like openssl x509 to switch between
> PEM and DER
> > formats.
> >
> > I have a vague memory that dogtag can deal with a
> multi-valued
> > usercertificate attribute.
> >
> > rob
> >
> >
> > Yes the wiki stated binary, the result of:
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
> > uid=ipara,ou=People,o=ipaca -W
> >
> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
> >
> > But the actual data is from a PEM though.
>
> Ok. So I looked at my CA data and it doesn't use the binary
> subtype, so
> my entries look like:
>
> userCertificate:: MIID....
>
> It might make a difference if dogtag is looking for the subtype
> or not.
>
> rob
>
> >
> > >
> > > Then I re-run
> > >
> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
> manager' -W
> > -b uid=ipara,ou=People,o=ipaca
> > >
> > > I see 2 entries for usercertificate;binary (before
> modify there
> > was only
> > > 1) but they are duplicate and NOT from data that I
> added. That seems
> > > incorrect to me.
> > >
> > >
> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > > <anthony.wan.cheng at gmail.com
> <mailto:anthony.wan.cheng at gmail.com>
> <mailto:anthony.wan.cheng at gmail.com
> <mailto:anthony.wan.cheng at gmail.com>>
> > <mailto:anthony.wan.cheng at gmail.com
> <mailto:anthony.wan.cheng at gmail.com>
> > <mailto:anthony.wan.cheng at gmail.com
> <mailto:anthony.wan.cheng at gmail.com>>>> wrote:
> > >
> > > klist is actually empty; kinit admin fails.
> Sounds like then
> > > getcert resubmit has a dependency on kerberoes. I
> can get a
> > backup
> > > image that has a valid ticket but it is only good
> for 1 day (and
> > > dated pasted the cert expire).
> > >
> > > Also I had asked awhile back about whether there
> is dependency on
> > > DIRSRV to renew the cert; didn't get any response
> but I suspect
> > > there is a dependency.
> > >
> > > Regarding the clock skew, I found out from
> /var/log/message that
> > > shows me this so it may be from named:
> > >
> > > Jan 28 14:10:42 test named[2911]: Failed to init
> credentials
> > (Clock
> > > skew too great)
> > > Jan 28 14:10:42 test named[2911]: loading
> configuration: failure
> > > Jan 28 14:10:42 test named[2911]: exiting (due to
> fatal error)
> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
> Unspecified GSS
> > > failure. Minor code may provide more information
> (Creden
> > > tials cache file '/tmp/krb5cc_496' not found)
> > >
> > > I don't have a krb5cc_496 file (since klist is
> empty), so
> > sounds to
> > > me I need to get a kerberoes ticket before going any
> > further. Also
> > > is the file /etc/krb5.keytab access/modification time
> > important? I
> > > had changed time back to before the cert
> expiration date and
> > reboot
> > > and try renew but the error message about clock
> skew is still
> > > there. That seems strange.
> > >
> > > Lastly, as a absolute last resort, can I
> regenerate a new cert
> > > myself?
> > >
> >
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> > >
> > > [root at test /]# klist
> > > klist: No credentials cache found (ticket cache
> > FILE:/tmp/krb5cc_0)
> > > [root at test /]# service ipa start
> > > Starting Directory Service
> > > Starting dirsrv:
> > > PKI-IPA...
> > [ OK ]
> > > sample-NET...
> > [ OK ]
> > > Starting KDC Service
> > > Starting Kerberos 5 KDC:
> [
> > OK ]
> > > Starting KPASSWD Service
> > > Starting Kerberos 5 Admin Server:
> [
> > OK ]
> > > Starting DNS Service
> > > Starting named:
> > [FAILED]
> > > Failed to start DNS Service
> > > Shutting down
> > > Stopping Kerberos 5 KDC:
> [
> > OK ]
> > > Stopping Kerberos 5 Admin Server:
> [
> > OK ]
> > > Stopping named:
> [
> > OK ]
> > > Stopping httpd:
> [
> > OK ]
> > > Stopping pki-ca:
> [
> > OK ]
> > > Shutting down dirsrv:
> > > PKI-IPA...
> > [ OK ]
> > > sample-NET...
> > [ OK ]
> > > Aborting ipactl
> > > [root at test /]# klist
> > > klist: No credentials cache found (ticket cache
> > FILE:/tmp/krb5cc_0)
> > > [root at test /]# service ipa status
> > > Directory Service: STOPPED
> > > Failed to get list of services to probe status:
> > > Directory Server is stopped
> > >
> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka
> > <dkupka at redhat.com <mailto:dkupka at redhat.com>
> <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>
> > > <mailto:dkupka at redhat.com
> <mailto:dkupka at redhat.com> <mailto:dkupka at redhat.com
> <mailto:dkupka at redhat.com>>>> wrote:
> > >
> > > On 27/04/16 21:54, Anthony Cheng wrote:
> > > > Hi list,
> > > >
> > > > I am trying to renew expired certificates
> following the
> > > manual renewal procedure
> > > > here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> > > but even with
> > > > resetting the system/hardware clock to a
> time before
> > expires,
> > > I am getting the
> > > > error "ca-error: Error setting up ccache
> for local "host"
> > > service using default
> > > > keytab: Clock skew too great."
> > > >
> > > > With NTP disable and clock reset why would
> it complain
> > about
> > > clock skew and how
> > > > does it even know about the current time?
> > > >
> > > > [root at test certs]# getcert list
> > > > Number of certificates and requests being
> tracked: 8.
> > > > Request ID '20111214223243':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate
> > >
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:46 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223300':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > >
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223316':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130741':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=CA Audit,O=sample.NET
> > > > expires: 2017-10-13 14:10:49 UTC
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "auditSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130742':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=OCSP
> Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-OCSPSigning
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "ocspSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130743':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=CA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "subsystemCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130744':
> > > > status: MONITORING
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=RA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130745':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes[root at test certs]#
> getcert list
> > > > Number of certificates and requests being
> tracked: 8.
> > > > Request ID '20111214223243':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate
> > >
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:46 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223300':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > >
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> > > > DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20111214223316':
> > > > status: MONITORING
> > > > ca-error: Error setting up ccache
> for local
> > "host"
> > > service using
> > > > default keytab: Clock skew too great.
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2016-01-29 14:09:45 UTC
> > > > eku: id-kp-serverAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130741':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=CA Audit,O=sample.NET
> > > > expires: 2017-10-13 14:10:49 UTC
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "auditSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130742':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=OCSP
> Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-OCSPSigning
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "ocspSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130743':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=CA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ca_cert
> > > > "subsystemCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130744':
> > > > status: MONITORING
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > > > stuck: no
> > > > key pair storage:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate
> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=RA Subsystem,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20130519130745':
> > > > status: NEED_CSR_GEN_PIN
> > > > ca-error: Internal error: no
> response to
> > > >
> > >
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > > > stuck: yes
> > > > key pair storage:
> > > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664
> > > > '
> > > > certificate:
> > > >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-renew-agent
> > > > issuer: CN=Certificate
> Authority,O=sample.NET
> > > > subject: CN=test.sample.net
> <http://test.sample.net>
> > <http://test.sample.net> <http://test.sample.net>
> > > <http://test.sample.net>,O=sample.NET
> > > > expires: 2017-10-13 14:09:49 UTC
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
> > > > track: yes
> > > > auto-renew: yes
> > > > --
> > > >
> > > > Thanks, Anthony
> > > >
> > > >
> > > >
> > >
> > > Hello Anthony!
> > >
> > > After stopping NTP (or other time
> synchronizing service)
> > and setting
> > > time manually server really don't have a way
> to determine
> > that
> > > its time
> > > differs from the real one.
> > >
> > > I think this might be issue with Kerberos
> ticket. You can
> > show
> > > content
> > > of root's ticket cache using klist. If there
> is anything
> > clean
> > > it with
> > > kdestroy and try to resubmit the request again.
> > >
> > > --
> > > David Kupka
> > >
> > > --
> > >
> > > Thanks, Anthony
> > >
> > > --
> > >
> > > Thanks, Anthony
> > >
> > >
> > >
> >
> > --
> >
> > Thanks, Anthony
> >
>
> --
>
> Thanks, Anthony
>
> --
>
> Thanks, Anthony
>
More information about the Freeipa-users
mailing list