I make further progress, I managed to get it to be in NEED_TO_SUBMIT state again after a reboot and this time klist and clock looks good. However getting this error while restarting IPA,
Starting dirsrv: PKI-IPA...[29/Apr/2016:21:41:48 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) The error time is different than the time I changed to; after search for all files on the computer and found some files that has that time: var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo /var/tmp/DNS_25 I changed access time on them and restart and got the correct time in error log: Starting dirsrv: PKI-IPA...[28/Sep/2014:14:58:15 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] sample-NET...[28/Sep/2014:14:58:16 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) In looking at server cert, there is actually 2 and one is expired no matter what time I set it to due to a time lapse between them; seems to indicate that I need to remove one of them: [root@test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep 'Issuer\|Not\|Subject\|Name' Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sun Aug 02 14:09:45 2015 Not After : Fri Jan 29 14:09:45 2016 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sat May 03 00:20:37 2014 Not After : Thu Oct 30 00:20:37 2014 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > OK so I made process on my cert renew issue; I was able to get kinit > working so I can follow the rest of the steps here ( > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > However, after using > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > and restarting apache (/sbin/service httpd restart), resubmitting 3 certs > (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>) > (/sbin/service ipa restart), I still see: > > [root@test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certific > > ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate D > B' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinf > > ile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Here are other relevant output: > > root@test ~]# /sbin/service ipa restart > Restarting Directory Service > > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Restarting KDC Service > > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting DNS Service > Stopping named: . [ OK ] > Starting named: [ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached: [ OK ] > Starting ipa_memcached: [ OK ] > Restarting HTTP Service > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > Restarting CA Service > Stopping pki-ca: [ OK ] > Starting pki-ca: [ OK ] > > [root@test ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: t...@sample.net > > Valid starting Expires Service principal > 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample....@sample.net > 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample....@sample.net > > [root@test ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > [root@caer ~]# /sbin/service httpd restart > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > > Would really greatly appreciate any help on this. > > Also I noticed after I do ldapmodify of usercertificate binary data with > > add: usercertificate;binary > usercertificate;binary: !@#$@!#$#@$ > > Then I re-run > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b > uid=ipara,ou=People,o=ipaca > > I see 2 entries for usercertificate;binary (before modify there was only > 1) but they are duplicate and NOT from data that I added. That seems > incorrect to me. > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <anthony.wan.ch...@gmail.com> > wrote: > >> klist is actually empty; kinit admin fails. Sounds like then getcert >> resubmit has a dependency on kerberoes. I can get a backup image that has >> a valid ticket but it is only good for 1 day (and dated pasted the cert >> expire). >> >> Also I had asked awhile back about whether there is dependency on DIRSRV >> to renew the cert; didn't get any response but I suspect there is a >> dependency. >> >> Regarding the clock skew, I found out from /var/log/message that shows me >> this so it may be from named: >> >> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew >> too great) >> Jan 28 14:10:42 test named[2911]: loading configuration: failure >> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) >> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Creden >> tials cache file '/tmp/krb5cc_496' not found) >> >> I don't have a krb5cc_496 file (since klist is empty), so sounds to me I >> need to get a kerberoes ticket before going any further. Also is the file >> /etc/krb5.keytab access/modification time important? I had changed time >> back to before the cert expiration date and reboot and try renew but the >> error message about clock skew is still there. That seems strange. >> >> Lastly, as a absolute last resort, can I regenerate a new cert myself? >> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >> >> [root@test /]# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> [root@test /]# service ipa start >> Starting Directory Service >> Starting dirsrv: >> PKI-IPA... [ OK ] >> sample-NET... [ OK ] >> Starting KDC Service >> Starting Kerberos 5 KDC: [ OK ] >> Starting KPASSWD Service >> Starting Kerberos 5 Admin Server: [ OK ] >> Starting DNS Service >> Starting named: [FAILED] >> Failed to start DNS Service >> Shutting down >> Stopping Kerberos 5 KDC: [ OK ] >> Stopping Kerberos 5 Admin Server: [ OK ] >> Stopping named: [ OK ] >> Stopping httpd: [ OK ] >> Stopping pki-ca: [ OK ] >> Shutting down dirsrv: >> PKI-IPA... [ OK ] >> sample-NET... [ OK ] >> Aborting ipactl >> [root@test /]# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> [root@test /]# service ipa status >> Directory Service: STOPPED >> Failed to get list of services to probe status: >> Directory Server is stopped >> >> On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dku...@redhat.com> wrote: >> >>> On 27/04/16 21:54, Anthony Cheng wrote: >>> > Hi list, >>> > >>> > I am trying to renew expired certificates following the manual renewal >>> procedure >>> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but >>> even with >>> > resetting the system/hardware clock to a time before expires, I am >>> getting the >>> > error "ca-error: Error setting up ccache for local "host" service >>> using default >>> > keytab: Clock skew too great." >>> > >>> > With NTP disable and clock reset why would it complain about clock >>> skew and how >>> > does it even know about the current time? >>> > >>> > [root@test certs]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:46 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Audit,O=sample.NET >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=OCSP Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=RA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes[root@test certs]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:46 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Audit,O=sample.NET >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=OCSP Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=RA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net <http://test.sample.net >>> >,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > -- >>> > >>> > Thanks, Anthony >>> > >>> > >>> > >>> >>> Hello Anthony! >>> >>> After stopping NTP (or other time synchronizing service) and setting >>> time manually server really don't have a way to determine that its time >>> differs from the real one. >>> >>> I think this might be issue with Kerberos ticket. You can show content >>> of root's ticket cache using klist. If there is anything clean it with >>> kdestroy and try to resubmit the request again. >>> >>> -- >>> David Kupka >>> >> -- >> >> Thanks, Anthony >> > -- > > Thanks, Anthony > -- Thanks, Anthony
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project