[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng
anthony.wan.cheng at gmail.com
Fri Apr 29 20:51:00 UTC 2016
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
(ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
(/sbin/service ipa restart), I still see:
[root at test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certific
ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate D
B'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinf
ile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Here are other relevant output:
root at test ~]# /sbin/service ipa restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Starting ipa_memcached: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Restarting CA Service
Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]
[root at test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test at sample.NET
Valid starting Expires Service principal
01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample.NET at sample.NET
01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample.net at sample.NET
[root at test ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
[root at caer ~]# /sbin/service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary data with
add: usercertificate;binary
usercertificate;binary: !@#$@!#$#@$
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca
I see 2 entries for usercertificate;binary (before modify there was only 1)
but they are duplicate and NOT from data that I added. That seems
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <anthony.wan.cheng at gmail.com>
wrote:
> klist is actually empty; kinit admin fails. Sounds like then getcert
> resubmit has a dependency on kerberoes. I can get a backup image that has
> a valid ticket but it is only good for 1 day (and dated pasted the cert
> expire).
>
> Also I had asked awhile back about whether there is dependency on DIRSRV
> to renew the cert; didn't get any response but I suspect there is a
> dependency.
>
> Regarding the clock skew, I found out from /var/log/message that shows me
> this so it may be from named:
>
> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
> too great)
> Jan 28 14:10:42 test named[2911]: loading configuration: failure
> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Creden
> tials cache file '/tmp/krb5cc_496' not found)
>
> I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
> need to get a kerberoes ticket before going any further. Also is the file
> /etc/krb5.keytab access/modification time important? I had changed time
> back to before the cert expiration date and reboot and try renew but the
> error message about clock skew is still there. That seems strange.
>
> Lastly, as a absolute last resort, can I regenerate a new cert myself?
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>
> [root at test /]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> [root at test /]# service ipa start
> Starting Directory Service
> Starting dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Starting KDC Service
> Starting Kerberos 5 KDC: [ OK ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server: [ OK ]
> Starting DNS Service
> Starting named: [FAILED]
> Failed to start DNS Service
> Shutting down
> Stopping Kerberos 5 KDC: [ OK ]
> Stopping Kerberos 5 Admin Server: [ OK ]
> Stopping named: [ OK ]
> Stopping httpd: [ OK ]
> Stopping pki-ca: [ OK ]
> Shutting down dirsrv:
> PKI-IPA... [ OK ]
> sample-NET... [ OK ]
> Aborting ipactl
> [root at test /]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> [root at test /]# service ipa status
> Directory Service: STOPPED
> Failed to get list of services to probe status:
> Directory Server is stopped
>
> On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dkupka at redhat.com> wrote:
>
>> On 27/04/16 21:54, Anthony Cheng wrote:
>> > Hi list,
>> >
>> > I am trying to renew expired certificates following the manual renewal
>> procedure
>> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even
>> with
>> > resetting the system/hardware clock to a time before expires, I am
>> getting the
>> > error "ca-error: Error setting up ccache for local "host" service using
>> default
>> > keytab: Clock skew too great."
>> >
>> > With NTP disable and clock reset why would it complain about clock skew
>> and how
>> > does it even know about the current time?
>> >
>> > [root at test certs]# getcert list
>> > Number of certificates and requests being tracked: 8.
>> > Request ID '20111214223243':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:46 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223300':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:45 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223316':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:45 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130741':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=CA Audit,O=sample.NET
>> > expires: 2017-10-13 14:10:49 UTC
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130742':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=OCSP Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-OCSPSigning
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "ocspSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130743':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=CA Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "subsystemCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130744':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=RA Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130745':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes[root at test certs]# getcert list
>> > Number of certificates and requests being tracked: 8.
>> > Request ID '20111214223243':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:46 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223300':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:45 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223316':
>> > status: MONITORING
>> > ca-error: Error setting up ccache for local "host" service
>> using
>> > default keytab: Clock skew too great.
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2016-01-29 14:09:45 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130741':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=CA Audit,O=sample.NET
>> > expires: 2017-10-13 14:10:49 UTC
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130742':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=OCSP Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-OCSPSigning
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "ocspSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130743':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=CA Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "subsystemCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130744':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=RA Subsystem,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130745':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
>> > '
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=sample.NET
>> > subject: CN=test.sample.net <http://test.sample.net
>> >,O=sample.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > --
>> >
>> > Thanks, Anthony
>> >
>> >
>> >
>>
>> Hello Anthony!
>>
>> After stopping NTP (or other time synchronizing service) and setting
>> time manually server really don't have a way to determine that its time
>> differs from the real one.
>>
>> I think this might be issue with Kerberos ticket. You can show content
>> of root's ticket cache using klist. If there is anything clean it with
>> kdestroy and try to resubmit the request again.
>>
>> --
>> David Kupka
>>
> --
>
> Thanks, Anthony
>
--
Thanks, Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/f11f3cc4/attachment.htm>
More information about the Freeipa-users
mailing list