Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Rob Crittenden Sat, 30 Apr 2016 07:14:13 -0700

Anthony Cheng wrote:

OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)


However, after using

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

and restarting apache (/sbin/service httpd restart), resubmitting 3
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
(/sbin/service ipa restart), I still see:

[root@test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).

IPA proxies requests to the CA through Apache. This means that whiletomcat started ok it didn't load the dogtag CA application, hence theNot Found.


Check the CA debug and selftest logs to see why it failed to start properly.

[ snip ]

Would really greatly appreciate any help on this.

Also I noticed after I do ldapmodify of usercertificate binary data with

add: usercertificate;binary
usercertificate;binary: !@#$@!#$#@$


You really pasted in binary? Or was this base64-encoded data?

I wonder if there is a problem in the wiki. If this is really a binaryvalue you should start with a DER-encoded cert and load it usingsomething like:


dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der

You can use something like openssl x509 to switch between PEM and DERformats.

I have a vague memory that dogtag can deal with a multi-valuedusercertificate attribute.

rob


Then I re-run

ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b 
uid=ipara,ou=People,o=ipaca

I see 2 entries for usercertificate;binary (before modify there was only
1) but they are duplicate and NOT from data that I added.  That seems
incorrect to me.


On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
<[email protected] <mailto:[email protected]>> wrote:

    klist is actually empty; kinit admin fails.  Sounds like then
    getcert resubmit has a dependency on kerberoes.  I can get a backup
    image that has a valid ticket but it is only good for 1 day (and
    dated pasted the cert expire).

    Also I had asked awhile back about whether there is dependency on
    DIRSRV to renew the cert; didn't get any response but I suspect
    there is a dependency.

    Regarding the clock skew, I found out from /var/log/message that
    shows me this so it may be from named:

    Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
    skew too great)
    Jan 28 14:10:42 test named[2911]: loading configuration: failure
    Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
    Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
    failure.  Minor code may provide more information (Creden
    tials cache file '/tmp/krb5cc_496' not found)

    I don't have a krb5cc_496 file (since klist is empty), so sounds to
    me I need to get a kerberoes ticket before going any further.  Also
    is the file /etc/krb5.keytab access/modification time important?  I
    had changed time back to before the cert expiration date and reboot
    and try renew but the error message about clock skew is still
    there.  That seems strange.

    Lastly, as a absolute last resort, can I regenerate a new cert
    myself?
    
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html

    [root@test /]# klist
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
    [root@test /]# service ipa start
    Starting Directory Service
    Starting dirsrv:
         PKI-IPA...                                             [  OK  ]
         sample-NET...                                          [  OK  ]
    Starting KDC Service
    Starting Kerberos 5 KDC:                                   [  OK  ]
    Starting KPASSWD Service
    Starting Kerberos 5 Admin Server:                          [  OK  ]
    Starting DNS Service
    Starting named:                                            [FAILED]
    Failed to start DNS Service
    Shutting down
    Stopping Kerberos 5 KDC:                                   [  OK  ]
    Stopping Kerberos 5 Admin Server:                          [  OK  ]
    Stopping named:                                            [  OK  ]
    Stopping httpd:                                            [  OK  ]
    Stopping pki-ca:                                           [  OK  ]
    Shutting down dirsrv:
         PKI-IPA...                                             [  OK  ]
         sample-NET...                                          [  OK  ]
    Aborting ipactl
    [root@test /]# klist
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
    [root@test /]# service ipa status
    Directory Service: STOPPED
    Failed to get list of services to probe status:
    Directory Server is stopped

    On Thu, Apr 28, 2016 at 3:21 AM David Kupka <[email protected]
    <mailto:[email protected]>> wrote:

        On 27/04/16 21:54, Anthony Cheng wrote:
         > Hi list,
         >
         > I am trying to renew expired certificates following the
        manual renewal procedure
         > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
        but even with
         > resetting the system/hardware clock to a time before expires,
        I am getting the
         > error "ca-error: Error setting up ccache for local "host"
        service using default
         > keytab: Clock skew too great."
         >
         > With NTP disable and clock reset why would it complain about
        clock skew and how
         > does it even know about the current time?
         >
         > [root@test certs]# getcert list
         > Number of certificates and requests being tracked: 8.
         > Request ID '20111214223243':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         > Certificate
        DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         >          certificate:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         > Certificate DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:46 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20111214223300':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate
         > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         >          certificate:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate
         > DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:45 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20111214223316':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >          certificate:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > Certificate DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:45 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130741':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=CA Audit,O=sample.NET
         >          expires: 2017-10-13 14:10:49 UTC
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "auditSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130742':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=OCSP Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-OCSPSigning
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "ocspSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130743':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=CA Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "subsystemCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130744':
         >          status: MONITORING
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         >          stuck: no
         >          key pair storage:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate
         > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >          certificate:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=RA Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ra_cert
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130745':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes[root@test certs]# getcert list
         > Number of certificates and requests being tracked: 8.
         > Request ID '20111214223243':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         > Certificate
        DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         >          certificate:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         > Certificate DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:46 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20111214223300':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate
         > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         >          certificate:
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate
         > DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:45 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20111214223316':
         >          status: MONITORING
         >          ca-error: Error setting up ccache for local "host"
        service using
         > default keytab: Clock skew too great.
         >          stuck: no
         >          key pair storage:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >          certificate:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > Certificate DB'
         >          CA: IPA
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2016-01-29 14:09:45 UTC
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130741':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=CA Audit,O=sample.NET
         >          expires: 2017-10-13 14:10:49 UTC
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "auditSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130742':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=OCSP Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-OCSPSigning
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "ocspSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130743':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=CA Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "subsystemCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130744':
         >          status: MONITORING
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         >          stuck: no
         >          key pair storage:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate
         > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >          certificate:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=RA Subsystem,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ra_cert
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130745':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         >          stuck: yes
         >          key pair storage:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
         > '
         >          certificate:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=sample.NET
         >          subject: CN=test.sample.net <http://test.sample.net>
        <http://test.sample.net>,O=sample.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > --
         >
         > Thanks, Anthony
         >
         >
         >

        Hello Anthony!

        After stopping NTP (or other time synchronizing service) and setting
        time manually server really don't have a way to determine that
        its time
        differs from the real one.

        I think this might be issue with Kerberos ticket. You can show
        content
        of root's ticket cache using klist. If there is anything clean
        it with
        kdestroy and try to resubmit the request again.

        --
        David Kupka

    --

    Thanks, Anthony

--

Thanks, Anthony


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Reply via email to