On Wed, Apr 27, 2016 at 07:54:57PM +0000, Anthony Cheng wrote: > Hi list, > > I am trying to renew expired certificates following the manual renewal > procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > even with resetting the system/hardware clock to a time before expires, I > am getting the error "ca-error: Error setting up ccache for local "host" > service using default keytab: Clock skew too great."
This is a Kerberos error message which it not related to the certificate lifetime. Please try to make sure that client and server use the same time. bye, Sumit > > With NTP disable and clock reset why would it complain about clock skew and > how does it even know about the current time? > > [root@test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes[root@test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > -- > > Thanks, Anthony > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
