T A via FreeIPA-users wrote: > Florence thanks for the reply. > There are 2 IPA servers, the one im trying to cert fix on is the CA renewal > master, server1 > > I had to redact some details > #ipa config-show > Max username length: 32 > Home directory base: /home > Default shell: /bin/bash > Default users group: ipausers > Default e-mail domain: company.com > Search time limit: 2 > Search size limit: 100 > User search fields: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Enable migration mode: FALSE > Certificate Subject base: O=COMPANY.COM > Password Expiration Notification (days): 4 > Password plugin features: AllowNThash > SELinux user map order: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > Default SELinux user: unconfined_u:s0-s0:c0.c1023 > Default PAC types: MS-PAC, nfs:NONE > IPA masters: server1.company.com, server2.company.com > IPA master capable of PKINIT: server1.company.com > IPA CA servers: server1.company.com, server2.company.com > IPA NTP servers: server1.company.com, server2.company.com > IPA CA renewal master: server1.company.com > IPA DNS servers: server1.company.com, server2.company.com > > > There are 3 expired certs, with the dogtag having expired first and then that > probably causing the other two not to be renewed. If I roll back the clock to > to before expiration, everything starts up fine I just cant get the dogtag > cert to renew. "'csngen_adjust_local_time - Adjustment > limit exceeded" whenever I try "'ipa-getcert resubmit -i "
That message is related but not the reason renewal is failing. It's 389-ds replication noticing how out-of-whack time is. > Request ID '000012': > status: NEED_GUIDANCE > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=COMPANY.COM > subject: CN=server1.company.com,O=COMPANY.COM > expires: <several weeks ago> > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes You'll need to look in the journal (or syslog) for more information. This is certmonger telling you that something failed and it has no idea why. > Request ID '000013': > status: NEED_CSR_GEN_PIN > ca-error: Error setting up ccache for "host" service on client using > default keytab: Preauthentication failed. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-COMPANY-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=COMPANY.COM > subject: CN=server1.company.com,O=COMPANY.COM > expires: <several weeks ago> > principal name: ldap/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > COMPANY-COM > track: yes > auto-renew: yes > > Request ID '000017': > status: NEED_CSR_GEN_PIN > ca-error: Error setting up ccache for "host" service on client using > default keytab: Preauthentication failed. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=COMPANY.COM > subject: CN=server1.company.com,O=COMPANY.COM > expires: <several weeks ago> > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes This points to something wrong with the host keytab. While back time with all the services are running (except the CA, of course): 1. kinit admin 2. klist -kt /etc/krb5.keytab 3. kvno host/server1.company.com Both steps 2 and 3 will output a kvno (key version number). They should match. If they don't you'll need to generate a new one and this could pose an issue for the broken replication (because when time is "right" things may not sync up). We can tackle that if it comes to it. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
