Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
More updates; it turns out that there were some duplicate and expired certificates as well as incorrect trust attributes; (e.g. seeing 2 instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I deleted the duplicate cert and re-add certificate w/ valid date and fix cert trust attributes along the way. So it went from this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u sample.NET IPA CA CT,C,C ipaCert u,u,u Signing-Certu,u,u Server-Cert u,u,u to this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCertu,u,u Server-Cert u,u,u sample.NET IPA CA CT,C,C Signing-Certu,u,u And also re-try resubmit/restart processes but unfortunately error persists ( ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed : Unable to communicate with CMS (Not Found)).) Currently I am on the process to recreate this problem on RHEL 6 to try to get RH support on this. Thanks, Anthony On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <rcrit...@redhat.com> wrote: >> Anthony Cheng wrote: >>> >>> Small update, I found an article on the RH solution library >>> (https://access.redhat.com/solutions/2020223) that has the same error >>> code that I am getting and I followed the steps with certutil to update >>> the cert attributes but it is still not working. The article is listed >>> as "Solution in Progress". >>> >>> [root@test ~]# getcert list | more >>> >>> Number of certificates and requests being tracked: 7. >>> >>> Request ID '20111214223243': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server.Certificate operation cannot be comp >>> >>> leted: Unable to communicate with CMS (Not Found)). >> >> >> Not Found means the CA didn't start. You need to examine the debug and >> selftest logs to determine why. >> >> rob > > selftests.log is empty; there are entries for other time but not for > the test to when I set the clock to renew certs. > > [root@test pki-ca]# clock > Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds > [root@test pki-ca]# > [root@test pki-ca]# > > [root@test pki-ca]# ll * | grep self > -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log > -rw-r-. 1 pkiuser pkiuser 1206 Apr 7 2015 > selftests.log.20150407143526 > -rw-r-. 1 pkiuser pkiuser 3673 Jun 30 2015 > selftests.log.20150630163924 > -rw-r-. 1 pkiuser pkiuser 1217 Aug 31 20:07 > selftests.log.20150831160735 > -rw-r-. 1 pkiuser pkiuser 3798 Oct 24 14:12 > selftests.log.20151024101159 > > From debug log I see some error messages: > > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > Full log: > > [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() > [28/Jan/2016:21:09:02][main]: > [28/Jan/2016:21:09:02][main]: = DEBUG SUBSYSTEM INITIALIZED === > [28/Jan/2016:21:09:02][main]: > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_STARTUP > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_SHUTDOWN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_POLICY > [28/Jan/2016:21:09
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Anthony Cheng wrote: >> >> Small update, I found an article on the RH solution library >> (https://access.redhat.com/solutions/2020223) that has the same error >> code that I am getting and I followed the steps with certutil to update >> the cert attributes but it is still not working. The article is listed >> as "Solution in Progress". >> >> [root@test ~]# getcert list | more >> >> Number of certificates and requests being tracked: 7. >> >> Request ID '20111214223243': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server.Certificate operation cannot be comp >> >> leted: Unable to communicate with CMS (Not Found)). > > > Not Found means the CA didn't start. You need to examine the debug and > selftest logs to determine why. > > rob selftests.log is empty; there are entries for other time but not for the test to when I set the clock to renew certs. [root@test pki-ca]# clock Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds [root@test pki-ca]# [root@test pki-ca]# [root@test pki-ca]# ll * | grep self -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log -rw-r-. 1 pkiuser pkiuser 1206 Apr 7 2015 selftests.log.20150407143526 -rw-r-. 1 pkiuser pkiuser 3673 Jun 30 2015 selftests.log.20150630163924 -rw-r-. 1 pkiuser pkiuser 1217 Aug 31 20:07 selftests.log.20150831160735 -rw-r-. 1 pkiuser pkiuser 3798 Oct 24 14:12 selftests.log.20151024101159 >From debug log I see some error messages: [28/Jan/2016:21:09:03][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) Full log: [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() [28/Jan/2016:21:09:02][main]: [28/Jan/2016:21:09:02][main]: = DEBUG SUBSYSTEM INITIALIZED === [28/Jan/2016:21:09:02][main]: [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_STARTUP [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_SHUTDOWN [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_POLICY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CRL_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_OCSP_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_SIGNED_AUDIT [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ENCRYPTION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_TRUSTED_PUBLIC_KEY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: SELFTESTS_EXECUTION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_ARCHIVE_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_ASYNC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_AGENT_LOGIN [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_PROCESSED_ASYNC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_GEN_ASYMMETRIC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: NON_PROFILE_CERT_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log ev
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <rcrit...@redhat.com> wrote: > Anthony Cheng wrote: > > OK so I made process on my cert renew issue; I was able to get kinit > > working so I can follow the rest of the steps here > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > > However, after using > > > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > > > and restarting apache (/sbin/service httpd restart), resubmitting 3 > > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i > ) > > (/sbin/service ipa restart), I still see: > > > > [root@test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be compl > > eted: Unable to communicate with CMS (Not Found)). > > IPA proxies requests to the CA through Apache. This means that while > tomcat started ok it didn't load the dogtag CA application, hence the > Not Found. > > Check the CA debug and selftest logs to see why it failed to start > properly. > > [ snip ] > > Actually after a reboot that error went away and I just get this error instead "ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be auth enticated with known CA certificates)." from "getcert list" Result of service ipa restart is interesting since it shows today's time when I already changed date/time/disable NTP so somehow the system still know today's time. PKI-IPA...[02/May/2016:13:26:10 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) > > Would really greatly appreciate any help on this. > > > > Also I noticed after I do ldapmodify of usercertificate binary data with > > > > add: usercertificate;binary > > usercertificate;binary: !@#$@!#$#@$ > > You really pasted in binary? Or was this base64-encoded data? > > I wonder if there is a problem in the wiki. If this is really a binary > value you should start with a DER-encoded cert and load it using > something like: > > dn: uid=ipara,ou=people,o=ipaca > changetype: modify > add: usercertificate;binary > usercertificate;binary:< file:///path/to/cert.der > > You can use something like openssl x509 to switch between PEM and DER > formats. > > I have a vague memory that dogtag can deal with a multi-valued > usercertificate attribute. > > rob > > Yes the wiki stated binary, the result of: ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b uid=ipara,ou=People,o=ipaca -W shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... But the actual data is from a PEM though. > > > > Then I re-run > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b > uid=ipara,ou=People,o=ipaca > > > > I see 2 entries for usercertificate;binary (before modify there was only > > 1) but they are duplicate and NOT from data that I added. That seems > > incorrect to me. > > > > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > <anthony.wan.ch...@gmail.com <mailto:anthony.wan.ch...@gmail.com>> > wrote: > > > > klist is actually empty; kinit admin fails. Sounds like then > > getcert resubmit has a dependency on kerberoes. I can get a backup > > image that has a valid ticket but it is only good for 1 day (and > > dated pasted the cert expire). > > > > Also I had asked awhile back about whether there is dependency on > > DIRSRV to renew the cert; didn't get any response but I suspect > > there is a dependency. > > > > Regarding the clock skew, I found out from /var/log/message that > > shows me this so it may be from named: > > > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock > > skew too great) > > Jan 28 14:10:42 test named[2911]: loading configuration: failure > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Creden > > tials cache file '/tmp/krb5cc_496' not found) > > > > I don't have a krb5cc_496 file (since klist is empty), so sounds to > > me I need to get a kerberoes ticket before going any fu
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
I make further progress, I managed to get it to be in NEED_TO_SUBMIT state again after a reboot and this time klist and clock looks good. However getting this error while restarting IPA, Starting dirsrv: PKI-IPA...[29/Apr/2016:21:41:48 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) The error time is different than the time I changed to; after search for all files on the computer and found some files that has that time: var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo /var/tmp/DNS_25 I changed access time on them and restart and got the correct time in error log: Starting dirsrv: PKI-IPA...[28/Sep/2014:14:58:15 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] sample-NET...[28/Sep/2014:14:58:16 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) In looking at server cert, there is actually 2 and one is expired no matter what time I set it to due to a time lapse between them; seems to indicate that I need to remove one of them: [root@test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep 'Issuer\|Not\|Subject\|Name' Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sun Aug 02 14:09:45 2015 Not After : Fri Jan 29 14:09:45 2016 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sat May 03 00:20:37 2014 Not After : Thu Oct 30 00:20:37 2014 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > OK so I made process on my cert renew issue; I was able to get kinit > working so I can follow the rest of the steps here ( > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > However, after using > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > and restarting apache (/sbin/service httpd restart), resubmitting 3 certs > (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i ) > (/sbin/service ipa restart), I still see: > > [root@test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certific > > ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate D > B' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > >
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
really greatly appreciate any help on this. Also I noticed after I do ldapmodify of usercertificate binary data with add: usercertificate;binary usercertificate;binary: !@#$@!#$#@$ Then I re-run ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca I see 2 entries for usercertificate;binary (before modify there was only 1) but they are duplicate and NOT from data that I added. That seems incorrect to me. On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > klist is actually empty; kinit admin fails. Sounds like then getcert > resubmit has a dependency on kerberoes. I can get a backup image that has > a valid ticket but it is only good for 1 day (and dated pasted the cert > expire). > > Also I had asked awhile back about whether there is dependency on DIRSRV > to renew the cert; didn't get any response but I suspect there is a > dependency. > > Regarding the clock skew, I found out from /var/log/message that shows me > this so it may be from named: > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew > too great) > Jan 28 14:10:42 test named[2911]: loading configuration: failure > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Creden > tials cache file '/tmp/krb5cc_496' not found) > > I don't have a krb5cc_496 file (since klist is empty), so sounds to me I > need to get a kerberoes ticket before going any further. Also is the file > /etc/krb5.keytab access/modification time important? I had changed time > back to before the cert expiration date and reboot and try renew but the > error message about clock skew is still there. That seems strange. > > Lastly, as a absolute last resort, can I regenerate a new cert myself? > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > [root@test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root@test /]# service ipa start > Starting Directory Service > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting DNS Service > Starting named:[FAILED] > Failed to start DNS Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping named:[ OK ] > Stopping httpd:[ OK ] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Aborting ipactl > [root@test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root@test /]# service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dku...@redhat.com> wrote: > >> On 27/04/16 21:54, Anthony Cheng wrote: >> > Hi list, >> > >> > I am trying to renew expired certificates following the manual renewal >> procedure >> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even >> with >> > resetting the system/hardware clock to a time before expires, I am >> getting the >> > error "ca-error: Error setting up ccache for local "host" service using >> default >> > keytab: Clock skew too great." >> > >> > With NTP disable and clock reset why would it complain about clock skew >> and how >> > does it even know about the current time? >> > >> > [root@test certs]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
klist is actually empty; kinit admin fails. Sounds like then getcert resubmit has a dependency on kerberoes. I can get a backup image that has a valid ticket but it is only good for 1 day (and dated pasted the cert expire). Also I had asked awhile back about whether there is dependency on DIRSRV to renew the cert; didn't get any response but I suspect there is a dependency. Regarding the clock skew, I found out from /var/log/message that shows me this so it may be from named: Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew too great) Jan 28 14:10:42 test named[2911]: loading configuration: failure Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Creden tials cache file '/tmp/krb5cc_496' not found) I don't have a krb5cc_496 file (since klist is empty), so sounds to me I need to get a kerberoes ticket before going any further. Also is the file /etc/krb5.keytab access/modification time important? I had changed time back to before the cert expiration date and reboot and try renew but the error message about clock skew is still there. That seems strange. Lastly, as a absolute last resort, can I regenerate a new cert myself? https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting DNS Service Starting named:[FAILED] Failed to start DNS Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping named:[ OK ] Stopping httpd:[ OK ] Stopping pki-ca: [ OK ] Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Aborting ipactl [root@test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@test /]# service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped On Thu, Apr 28, 2016 at 3:21 AM David Kupka <dku...@redhat.com> wrote: > On 27/04/16 21:54, Anthony Cheng wrote: > > Hi list, > > > > I am trying to renew expired certificates following the manual renewal > procedure > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even > with > > resetting the system/hardware clock to a time before expires, I am > getting the > > error "ca-error: Error setting up ccache for local "host" service using > default > > keytab: Clock skew too great." > > > > With NTP disable and clock reset why would it complain about clock skew > and how > > does it even know about the current time? > > > > [root@test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net <http://test.sample.net > >,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA
[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Hi list, I am trying to renew expired certificates following the manual renewal procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with resetting the system/hardware clock to a time before expires, I am getting the error "ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great." With NTP disable and clock reset why would it complain about clock skew and how does it even know about the current time? [root@test certs]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=CA Audit,O=sample.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=OCSP Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0
So I went ahead and ran the migrate-ds command; ran into issue that was described here: https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when trying to change password I re-ran migrate-ds option; but I actually don't see the user accounts being migrated at all when I run a "ipa user-show user_name --all" I supposed manual option/script is the only option at this point? Anthony On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng <anthony.wan.ch...@gmail.com> wrote: > Hi list, > > Currently in the midst of doing a migration of FreeIPA from v3.0.0 to > v4.2.0; I have setup the new IPA instances and I am looking at migrate the > data. > > Based on the section under 'Migrating from other FreeIPA to FreeIPA' here ( > http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment), > it is suggested to run the following sample command: > > echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass=mepOriginEntry --with-compat > ldap://migrated.freeipa.server.test > > My questions are: > 1) Will this work as my new domain has changed (so realm is different) > 2) Will this work for migration from 3.0.0 to 4.2.0? > 3) Is this command safe to run from a production box? > 4) If it fails or is not safe to run, what is the alternative/process? > (details would be appreciated) > > Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS, > ...) have to be migrated manually, by exporting the LDIF from old FreeIPA > instance, selecting the records to be migrated, updating the attributes in > batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA." > > I have some idea how to do LDIF import/export but is this process > documented anywhere (on the freeipa.org)? > > Thanks, Anthony > -- > > Thanks, Anthony > -- Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migrate FreeIPA data from v2.0. to v4.2.0
Hi list, Currently in the midst of doing a migration of FreeIPA from v3.0.0 to v4.2.0; I have setup the new IPA instances and I am looking at migrate the data. Based on the section under 'Migrating from other FreeIPA to FreeIPA' here ( http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment), it is suggested to run the following sample command: echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://migrated.freeipa.server.test My questions are: 1) Will this work as my new domain has changed (so realm is different) 2) Will this work for migration from 3.0.0 to 4.2.0? 3) Is this command safe to run from a production box? 4) If it fails or is not safe to run, what is the alternative/process? (details would be appreciated) Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS, ...) have to be migrated manually, by exporting the LDIF from old FreeIPA instance, selecting the records to be migrated, updating the attributes in batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA." I have some idea how to do LDIF import/export but is this process documented anywhere (on the freeipa.org)? Thanks, Anthony -- Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] (no subject)
Hi list, This is an re-occurring subject; the dreaded expired certificate. I am following the renew here http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and testing on a clone VM and I am able to get to the step where the serial number is being replaced: ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password However, the database was hosted on another machine so dirsrv/slapd is not running So is there anyway for to renew the certificate in this situation other than setting up and mounting that database as well? Anthony -- Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] configure: error: xmlrpc-c/base.h not found
Hi all, I am getting an error with make for both freeipa-4.3.0 and freeipa-4.2.0; both errors are the same: checking for xmlrpc-c/base.h... no configure: error: xmlrpc-c/base.h not found make: *** [client-autogen] Error 1 I read from http://www.freeipa.org/page/Releases/4.0.0 that XMLRPC system commands were not implemented; so is it safe to ignore this error? If not would it suffice to install one of the following? xmlrpc-c-c++.x86_64 : C++ libraries for xmlrpc-c xmlrpc-c-client.x86_64 : C client libraries for xmlrpc-c xmlrpc-c-client++.x86_64 : C++ client libraries for xmlrpc-c xmlrpc-c-devel.x86_64 : Development files for xmlrpc-c based programs xmlrpc-c.x86_64 : A lightweight RPC library based on XML and HTTP xmlrpc-c-apps.x86_64 : Sample XML-RPC applications xmlrpc-client.noarch : XML-RPC client implementation xmlrpc-common.noarch : Common classes for XML-RPC client and server implementations -- Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Documentation on Testing page
Hi all, I have been looking at the documentation, specifically the test page: http://www.freeipa.org/page/Testing It looks like it has missing info on the Build section, specifically I don't see reference to a makefile or where to run make to build the testing utility. Thanks, Anthony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project