On 27/04/16 21:54, Anthony Cheng wrote:
Hi list,

I am trying to renew expired certificates following the manual renewal procedure
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with
resetting the system/hardware clock to a time before expires, I am getting the
error "ca-error: Error setting up ccache for local "host" service using default
keytab: Clock skew too great."

With NTP disable and clock reset why would it complain about clock skew and how
does it even know about the current time?

[root@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:46 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20111214223300':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:45 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20111214223316':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:45 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20130519130741':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=CA Audit,O=sample.NET
         expires: 2017-10-13 14:10:49 UTC
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130742':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=OCSP Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-OCSPSigning
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130743':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=CA Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130744':
         status: MONITORING
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=RA Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
         track: yes
         auto-renew: yes
Request ID '20130519130745':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes[root@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:46 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20111214223300':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:45 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20111214223316':
         status: MONITORING
         ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2016-01-29 14:09:45 UTC
         eku: id-kp-serverAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
Request ID '20130519130741':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=CA Audit,O=sample.NET
         expires: 2017-10-13 14:10:49 UTC
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130742':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=OCSP Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-OCSPSigning
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130743':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=CA Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20130519130744':
         status: MONITORING
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=RA Subsystem,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
         track: yes
         auto-renew: yes
Request ID '20130519130745':
         status: NEED_CSR_GEN_PIN
         ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         stuck: yes
         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=sample.NET
         subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
         expires: 2017-10-13 14:09:49 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes
--

Thanks, Anthony




Hello Anthony!

After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one.

I think this might be issue with Kerberos ticket. You can show content of root's ticket cache using klist. If there is anything clean it with kdestroy and try to resubmit the request again.

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to