Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Rob Crittenden Mon, 02 May 2016 07:15:13 -0700

Anthony Cheng wrote:

On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:


    Anthony Cheng wrote:
     > OK so I made process on my cert renew issue; I was able to get kinit
     > working so I can follow the rest of the steps here
     > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
     >
     > However, after using
     >
     > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
    password
     >
     > and restarting apache (/sbin/service httpd restart), resubmitting 3
     > certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
    -i <ID>)
     > (/sbin/service ipa restart), I still see:
     >
     > [root@test ~]# ipa-getcert list | more
     > Number of certificates and requests being tracked: 8.
     > Request ID '20111214223243':
     >          status: CA_UNREACHABLE
     >          ca-error: Server failed request, will retry: 4301 (RPC
    failed
     > at server.  Certificate operation cannot be compl
     > eted: Unable to communicate with CMS (Not Found)).

    IPA proxies requests to the CA through Apache. This means that while
    tomcat started ok it didn't load the dogtag CA application, hence the
    Not Found.

    Check the CA debug and selftest logs to see why it failed to start
    properly.

    [ snip ]

Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot be
auth enticated with known CA certificates)." from "getcert list"

Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.

PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)

Hard to say. I'd confirm that there is no time syncing service running,ntp or otherwise.


     > Would really greatly appreciate any help on this.
     >
     > Also I noticed after I do ldapmodify of usercertificate binary
    data with
     >
     > add: usercertificate;binary
     > usercertificate;binary: !@#$@!#$#@$

    You really pasted in binary? Or was this base64-encoded data?

    I wonder if there is a problem in the wiki. If this is really a binary
    value you should start with a DER-encoded cert and load it using
    something like:

    dn: uid=ipara,ou=people,o=ipaca
    changetype: modify
    add: usercertificate;binary
    usercertificate;binary:< file:///path/to/cert.der

    You can use something like openssl x509 to switch between PEM and DER
    formats.

    I have a vague memory that dogtag can deal with a multi-valued
    usercertificate attribute.

    rob


Yes the wiki stated binary, the result of:
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W

shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...

But the actual data is from a PEM though.

Ok. So I looked at my CA data and it doesn't use the binary subtype, somy entries look like:


userCertificate:: MIID....

It might make a difference if dogtag is looking for the subtype or not.

rob


     >
     > Then I re-run
     >
     > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
    -b uid=ipara,ou=People,o=ipaca
     >
     > I see 2 entries for usercertificate;binary (before modify there
    was only
     > 1) but they are duplicate and NOT from data that I added.  That seems
     > incorrect to me.
     >
     >
     > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
     > <[email protected] <mailto:[email protected]>
    <mailto:[email protected]
    <mailto:[email protected]>>> wrote:
     >
     >     klist is actually empty; kinit admin fails.  Sounds like then
     >     getcert resubmit has a dependency on kerberoes.  I can get a
    backup
     >     image that has a valid ticket but it is only good for 1 day (and
     >     dated pasted the cert expire).
     >
     >     Also I had asked awhile back about whether there is dependency on
     >     DIRSRV to renew the cert; didn't get any response but I suspect
     >     there is a dependency.
     >
     >     Regarding the clock skew, I found out from /var/log/message that
     >     shows me this so it may be from named:
     >
     >     Jan 28 14:10:42 test named[2911]: Failed to init credentials
    (Clock
     >     skew too great)
     >     Jan 28 14:10:42 test named[2911]: loading configuration: failure
     >     Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
     >     Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
     >     failure.  Minor code may provide more information (Creden
     >     tials cache file '/tmp/krb5cc_496' not found)
     >
     >     I don't have a krb5cc_496 file (since klist is empty), so
    sounds to
     >     me I need to get a kerberoes ticket before going any
    further.  Also
     >     is the file /etc/krb5.keytab access/modification time
    important?  I
     >     had changed time back to before the cert expiration date and
    reboot
     >     and try renew but the error message about clock skew is still
     >     there.  That seems strange.
     >
     >     Lastly, as a absolute last resort, can I regenerate a new cert
     >     myself?
     >
    
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
     >
     >     [root@test /]# klist
     >     klist: No credentials cache found (ticket cache
    FILE:/tmp/krb5cc_0)
     >     [root@test /]# service ipa start
     >     Starting Directory Service
     >     Starting dirsrv:
     >          PKI-IPA...
      [  OK  ]
     >          sample-NET...
    [  OK  ]
     >     Starting KDC Service
     >     Starting Kerberos 5 KDC:                                   [
    OK  ]
     >     Starting KPASSWD Service
     >     Starting Kerberos 5 Admin Server:                          [
    OK  ]
     >     Starting DNS Service
     >     Starting named:
    [FAILED]
     >     Failed to start DNS Service
     >     Shutting down
     >     Stopping Kerberos 5 KDC:                                   [
    OK  ]
     >     Stopping Kerberos 5 Admin Server:                          [
    OK  ]
     >     Stopping named:                                            [
    OK  ]
     >     Stopping httpd:                                            [
    OK  ]
     >     Stopping pki-ca:                                           [
    OK  ]
     >     Shutting down dirsrv:
     >          PKI-IPA...
      [  OK  ]
     >          sample-NET...
    [  OK  ]
     >     Aborting ipactl
     >     [root@test /]# klist
     >     klist: No credentials cache found (ticket cache
    FILE:/tmp/krb5cc_0)
     >     [root@test /]# service ipa status
     >     Directory Service: STOPPED
     >     Failed to get list of services to probe status:
     >     Directory Server is stopped
     >
     >     On Thu, Apr 28, 2016 at 3:21 AM David Kupka
    <[email protected] <mailto:[email protected]>
     >     <mailto:[email protected] <mailto:[email protected]>>> wrote:
     >
     >         On 27/04/16 21:54, Anthony Cheng wrote:
     >          > Hi list,
     >          >
     >          > I am trying to renew expired certificates following the
     >         manual renewal procedure
     >          > here
    (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
     >         but even with
     >          > resetting the system/hardware clock to a time before
    expires,
     >         I am getting the
     >          > error "ca-error: Error setting up ccache for local "host"
     >         service using default
     >          > keytab: Clock skew too great."
     >          >
     >          > With NTP disable and clock reset why would it complain
    about
     >         clock skew and how
     >          > does it even know about the current time?
     >          >
     >          > [root@test certs]# getcert list
     >          > Number of certificates and requests being tracked: 8.
     >          > Request ID '20111214223243':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
     >          > Certificate
     >         DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
     >          >          certificate:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
     >          > Certificate DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:46 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20111214223300':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     >         Certificate
     >          > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     >          >          certificate:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     >         Certificate
     >          > DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:45 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20111214223316':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     >          > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     >          > Certificate DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:45 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130741':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=CA Audit,O=sample.NET
     >          >          expires: 2017-10-13 14:10:49 UTC
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "auditSigningCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130742':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=OCSP Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-OCSPSigning
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "ocspSigningCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130743':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=CA Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "subsystemCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130744':
     >          >          status: MONITORING
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
     >         Certificate
     >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
     >         Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=RA Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ra_cert
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130745':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes[root@test certs]# getcert list
     >          > Number of certificates and requests being tracked: 8.
     >          > Request ID '20111214223243':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
     >          > Certificate
     >         DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
     >          >          certificate:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
     >          > Certificate DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:46 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20111214223300':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     >         Certificate
     >          > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     >          >          certificate:
     >          >
     >
      
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     >         Certificate
     >          > DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:45 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20111214223316':
     >          >          status: MONITORING
     >          >          ca-error: Error setting up ccache for local
    "host"
     >         service using
     >          > default keytab: Clock skew too great.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     >          > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     >          > Certificate DB'
     >          >          CA: IPA
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2016-01-29 14:09:45 UTC
     >          >          eku: id-kp-serverAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130741':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=CA Audit,O=sample.NET
     >          >          expires: 2017-10-13 14:10:49 UTC
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "auditSigningCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130742':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=OCSP Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-OCSPSigning
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "ocspSigningCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130743':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=CA Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
    /usr/lib64/ipa/certmonger/stop_pkicad
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ca_cert
     >          > "subsystemCert cert-pki-ca"
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130744':
     >          >          status: MONITORING
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
     >          >          stuck: no
     >          >          key pair storage:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
     >         Certificate
     >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     >          >          certificate:
     >          >
     >
      type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
     >         Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=RA Subsystem,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
     >          >          post-save command:
     >         /usr/lib64/ipa/certmonger/renew_ra_cert
     >          >          track: yes
     >          >          auto-renew: yes
     >          > Request ID '20130519130745':
     >          >          status: NEED_CSR_GEN_PIN
     >          >          ca-error: Internal error: no response to
     >          >
     >
      
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
     >          >          stuck: yes
     >          >          key pair storage:
     >          >
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
     >          > cert-pki-ca',token='NSS Certificate DB',pin='297100916664
     >          > '
     >          >          certificate:
     >          >
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
     >          > cert-pki-ca',token='NSS Certificate DB'
     >          >          CA: dogtag-ipa-renew-agent
     >          >          issuer: CN=Certificate Authority,O=sample.NET
     >          >          subject: CN=test.sample.net
    <http://test.sample.net> <http://test.sample.net>
     >         <http://test.sample.net>,O=sample.NET
     >          >          expires: 2017-10-13 14:09:49 UTC
     >          >          eku: id-kp-serverAuth,id-kp-clientAuth
     >          >          pre-save command:
     >          >          post-save command:
     >          >          track: yes
     >          >          auto-renew: yes
     >          > --
     >          >
     >          > Thanks, Anthony
     >          >
     >          >
     >          >
     >
     >         Hello Anthony!
     >
     >         After stopping NTP (or other time synchronizing service)
    and setting
     >         time manually server really don't have a way to determine
    that
     >         its time
     >         differs from the real one.
     >
     >         I think this might be issue with Kerberos ticket. You can
    show
     >         content
     >         of root's ticket cache using klist. If there is anything
    clean
     >         it with
     >         kdestroy and try to resubmit the request again.
     >
     >         --
     >         David Kupka
     >
     >     --
     >
     >     Thanks, Anthony
     >
     > --
     >
     > Thanks, Anthony
     >
     >
     >

--

Thanks, Anthony


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Reply via email to