[Freeipa-users] Re: FreeIPA PKI Certs wont renew "Adjustment limit exceeded"

T A via FreeIPA-users Tue, 20 Jun 2023 11:29:44 -0700

Florence thanks for the reply.
There are 2 IPA servers, the one im trying to cert fix on is the CA renewal 
master, server1


I had to redact some details
#ipa config-show
Max username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: company.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=COMPANY.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: 
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: server1.company.com, server2.company.com
IPA master capable of PKINIT: server1.company.com
IPA CA servers: server1.company.com, server2.company.com
IPA NTP servers: server1.company.com, server2.company.com
IPA CA renewal master: server1.company.com
IPA DNS servers: server1.company.com, server2.company.com


There are 3 expired certs, with the dogtag having expired first and then that 
probably causing the other two not to be renewed. If I roll back the clock to 
to before expiration, everything starts up fine I just cant get the dogtag cert 
to renew. "'csngen_adjust_local_time - Adjustment
limit exceeded" whenever I try "'ipa-getcert resubmit -i "

Request ID '000012':
        status: NEED_GUIDANCE
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=COMPANY.COM
        subject: CN=server1.company.com,O=COMPANY.COM
        expires: <several weeks ago>
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes

Request ID '000013':
        status: NEED_CSR_GEN_PIN
        ca-error: Error setting up ccache for "host" service on client using 
default keytab: Preauthentication failed.
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-COMPANY-COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=COMPANY.COM
        subject: CN=server1.company.com,O=COMPANY.COM
        expires: <several weeks ago>
        principal name: ldap/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
COMPANY-COM
        track: yes
        auto-renew: yes

Request ID '000017':
        status: NEED_CSR_GEN_PIN
        ca-error: Error setting up ccache for "host" service on client using 
default keytab: Preauthentication failed.
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=COMPANY.COM
        subject: CN=server1.company.com,O=COMPANY.COM
        expires: <several weeks ago>
        principal name: HTTP/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: FreeIPA PKI Certs wont renew "Adjustment limit exceeded"

Reply via email to