[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Rob Crittenden
rcritten at redhat.com
Sat Apr 30 14:08:10 UTC 2016
Anthony Cheng wrote:
> OK so I made process on my cert renew issue; I was able to get kinit
> working so I can follow the rest of the steps here
> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>
> However, after using
>
> ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
>
> and restarting apache (/sbin/service httpd restart), resubmitting 3
> certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
> (/sbin/service ipa restart), I still see:
>
> [root at test ~]# ipa-getcert list | more
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed to start properly.
[ snip ]
> Would really greatly appreciate any help on this.
>
> Also I noticed after I do ldapmodify of usercertificate binary data with
>
> add: usercertificate;binary
> usercertificate;binary: !@#$@!#$#@$
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is really a binary
value you should start with a DER-encoded cert and load it using
something like:
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between PEM and DER
formats.
I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.
rob
>
> Then I re-run
>
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca
>
> I see 2 entries for usercertificate;binary (before modify there was only
> 1) but they are duplicate and NOT from data that I added. That seems
> incorrect to me.
>
>
> On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>> wrote:
>
> klist is actually empty; kinit admin fails. Sounds like then
> getcert resubmit has a dependency on kerberoes. I can get a backup
> image that has a valid ticket but it is only good for 1 day (and
> dated pasted the cert expire).
>
> Also I had asked awhile back about whether there is dependency on
> DIRSRV to renew the cert; didn't get any response but I suspect
> there is a dependency.
>
> Regarding the clock skew, I found out from /var/log/message that
> shows me this so it may be from named:
>
> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
> skew too great)
> Jan 28 14:10:42 test named[2911]: loading configuration: failure
> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Creden
> tials cache file '/tmp/krb5cc_496' not found)
>
> I don't have a krb5cc_496 file (since klist is empty), so sounds to
> me I need to get a kerberoes ticket before going any further. Also
> is the file /etc/krb5.keytab access/modification time important? I
> had changed time back to before the cert expiration date and reboot
> and try renew but the error message about clock skew is still
> there. That seems strange.
>
> Lastly, as a absolute last resort, can I regenerate a new cert
> myself?
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>
> [root at test /]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> [root at test /]# service ipa start
> Starting Directory Service
> Starting dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Starting KDC Service
> Starting Kerberos 5 KDC: [ OK ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server: [ OK ]
> Starting DNS Service
> Starting named: [FAILED]
> Failed to start DNS Service
> Shutting down
> Stopping Kerberos 5 KDC: [ OK ]
> Stopping Kerberos 5 Admin Server: [ OK ]
> Stopping named: [ OK ]
> Stopping httpd: [ OK ]
> Stopping pki-ca: [ OK ]
> Shutting down dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Aborting ipactl
> [root at test /]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> [root at test /]# service ipa status
> Directory Service: STOPPED
> Failed to get list of services to probe status:
> Directory Server is stopped
>
> On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dkupka at redhat.com
> <mailto:dkupka at redhat.com>> wrote:
>
> On 27/04/16 21:54, Anthony Cheng wrote:
> > Hi list,
> >
> > I am trying to renew expired certificates following the
> manual renewal procedure
> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> but even with
> > resetting the system/hardware clock to a time before expires,
> I am getting the
> > error "ca-error: Error setting up ccache for local "host"
> service using default
> > keytab: Clock skew too great."
> >
> > With NTP disable and clock reset why would it complain about
> clock skew and how
> > does it even know about the current time?
> >
> > [root at test certs]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:46 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Audit,O=sample.NET
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=OCSP Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=RA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes[root at test certs]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate
> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:46 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host"
> service using
> > default keytab: Clock skew too great.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2016-01-29 14:09:45 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Audit,O=sample.NET
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=OCSP Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=CA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=RA Subsystem,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> > '
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=sample.NET
> > subject: CN=test.sample.net <http://test.sample.net>
> <http://test.sample.net>,O=sample.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > --
> >
> > Thanks, Anthony
> >
> >
> >
>
> Hello Anthony!
>
> After stopping NTP (or other time synchronizing service) and setting
> time manually server really don't have a way to determine that
> its time
> differs from the real one.
>
> I think this might be issue with Kerberos ticket. You can show
> content
> of root's ticket cache using klist. If there is anything clean
> it with
> kdestroy and try to resubmit the request again.
>
> --
> David Kupka
>
> --
>
> Thanks, Anthony
>
> --
>
> Thanks, Anthony
>
>
>
More information about the Freeipa-users
mailing list