OK so I made process on my cert renew issue; I was able to get kinit working so I can follow the rest of the steps here ( http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password and restarting apache (/sbin/service httpd restart), resubmitting 3 certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>) (/sbin/service ipa restart), I still see: [root@test ~]# ipa-getcert list | more Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certific ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate D B' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinf ile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here are other relevant output: root@test ~]# /sbin/service ipa restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root@test ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: t...@sample.net Valid starting Expires Service principal 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample....@sample.net 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample....@sample.net [root@test ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root@caer ~]# /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] Would really greatly appreciate any help on this. Also I noticed after I do ldapmodify of usercertificate binary data with add: usercertificate;binary usercertificate;binary: !@#$@!#$#@$ Then I re-run ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca I see 2 entries for usercertificate;binary (before modify there was only 1) but they are duplicate and NOT from data that I added. That seems incorrect to me. On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > klist is actually empty; kinit admin fails. Sounds like then getcert > resubmit has a dependency on kerberoes. I can get a backup image that has > a valid ticket but it is only good for 1 day (and dated pasted the cert > expire). > > Also I had asked awhile back about whether there is dependency on DIRSRV > to renew the cert; didn't get any response but I suspect there is a > dependency. > > Regarding the clock skew, I found out from /var/log/message that shows me > this so it may be from named: > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew > too great) > Jan 28 14:10:42 test named[2911]: loading configuration: failure > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Creden > tials cache file '/tmp/krb5cc_496' not found) > > I don't have a krb5cc_496 file (since klist is empty), so sounds to me I > need to get a kerberoes ticket before going any further. Also is the file > /etc/krb5.keytab access/modification time important? I had changed time > back to before the cert expiration date and reboot and try renew but the > error message about clock skew is still there. That seems strange. > > Lastly, as a absolute last resort, can I regenerate a new cert myself? > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > [root@test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root@test /]# service ipa start > Starting Directory Service > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting DNS Service > Starting named: [FAILED] > Failed to start DNS Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping named: [ OK ] > Stopping httpd: [ OK ] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Aborting ipactl > [root@test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root@test /]# service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dku...@redhat.com> wrote: > >> On 27/04/16 21:54, Anthony Cheng wrote: >> > Hi list, >> > >> > I am trying to renew expired certificates following the manual renewal >> procedure >> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even >> with >> > resetting the system/hardware clock to a time before expires, I am >> getting the >> > error "ca-error: Error setting up ccache for local "host" service using >> default >> > keytab: Clock skew too great." >> > >> > With NTP disable and clock reset why would it complain about clock skew >> and how >> > does it even know about the current time? >> > >> > [root@test certs]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:46 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Audit,O=sample.NET >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=OCSP Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=RA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes[root@test certs]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:46 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Audit,O=sample.NET >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=OCSP Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=RA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net <http://test.sample.net >> >,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > -- >> > >> > Thanks, Anthony >> > >> > >> > >> >> Hello Anthony! >> >> After stopping NTP (or other time synchronizing service) and setting >> time manually server really don't have a way to determine that its time >> differs from the real one. >> >> I think this might be issue with Kerberos ticket. You can show content >> of root's ticket cache using klist. If there is anything clean it with >> kdestroy and try to resubmit the request again. >> >> -- >> David Kupka >> > -- > > Thanks, Anthony > -- Thanks, Anthony
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project