<div dir="ltr"><div><div>Hi list,<br><br></div>I am trying to renew expired certificates following the manual renewal procedure here (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>) but even with resetting the system/hardware clock to a time before expires, I am getting the error "ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great."<br><br></div><div>With NTP disable and clock reset why would it complain about clock skew and how does it even know about the current time?<br></div><div><br>[root@test certs]# getcert list<br>Number of certificates and requests being tracked: 8.<br>Request ID '20111214223243':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:46 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20111214223300':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:45 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20111214223316':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:45 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130741':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=CA Audit,O=sample.NET<br>        expires: 2017-10-13 14:10:49 UTC<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130742':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=OCSP Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-OCSPSigning<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130743':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=CA Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130744':<br>        status: MONITORING<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=RA Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130745':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes[root@test certs]# getcert list<br>Number of certificates and requests being tracked: 8.<br>Request ID '20111214223243':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:46 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20111214223300':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:45 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20111214223316':<br>        status: MONITORING<br>        ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2016-01-29 14:09:45 UTC<br>        eku: id-kp-serverAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130741':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=CA Audit,O=sample.NET<br>        expires: 2017-10-13 14:10:49 UTC<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130742':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=OCSP Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-OCSPSigning<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130743':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=CA Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130744':<br>        status: MONITORING<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=RA Subsystem,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br>        track: yes<br>        auto-renew: yes<br>Request ID '20130519130745':<br>        status: NEED_CSR_GEN_PIN<br>        ca-error: Internal error: no response to "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>'<br>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'<br>        CA: dogtag-ipa-renew-agent<br>        issuer: CN=Certificate Authority,O=sample.NET<br>        subject: CN=<a href="http://test.sample.net">test.sample.net</a>,O=sample.NET<br>        expires: 2017-10-13 14:09:49 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br></div></div><div dir="ltr">-- <br></div><p dir="ltr">Thanks, Anthony</p>