klist is actually empty; kinit admin fails. Sounds like then getcert resubmit has a dependency on kerberoes. I can get a backup image that has a valid ticket but it is only good for 1 day (and dated pasted the cert expire).
Also I had asked awhile back about whether there is dependency on DIRSRV to renew the cert; didn't get any response but I suspect there is a dependency. Regarding the clock skew, I found out from /var/log/message that shows me this so it may be from named: Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew too great) Jan 28 14:10:42 test named[2911]: loading configuration: failure Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Creden tials cache file '/tmp/krb5cc_496' not found) I don't have a krb5cc_496 file (since klist is empty), so sounds to me I need to get a kerberoes ticket before going any further. Also is the file /etc/krb5.keytab access/modification time important? I had changed time back to before the cert expiration date and reboot and try renew but the error message about clock skew is still there. That seems strange. Lastly, as a absolute last resort, can I regenerate a new cert myself? https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting DNS Service Starting named: [FAILED] Failed to start DNS Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping named: [ OK ] Stopping httpd: [ OK ] Stopping pki-ca: [ OK ] Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Aborting ipactl [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped On Thu, Apr 28, 2016 at 3:21 AM David Kupka <[email protected]> wrote: > On 27/04/16 21:54, Anthony Cheng wrote: > > Hi list, > > > > I am trying to renew expired certificates following the manual renewal > procedure > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even > with > > resetting the system/hardware clock to a time before expires, I am > getting the > > error "ca-error: Error setting up ccache for local "host" service using > default > > keytab: Clock skew too great." > > > > With NTP disable and clock reset why would it complain about clock skew > and how > > does it even know about the current time? > > > > [root@test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes[root@test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > -- > > > > Thanks, Anthony > > > > > > > > Hello Anthony! > > After stopping NTP (or other time synchronizing service) and setting > time manually server really don't have a way to determine that its time > differs from the real one. > > I think this might be issue with Kerberos ticket. You can show content > of root's ticket cache using klist. If there is anything clean it with > kdestroy and try to resubmit the request again. > > -- > David Kupka > -- Thanks, Anthony
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
