Check to see on the CA server if your Delta CRL list has expired. -Greg Olson
From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, March 19, 2015 12:20 PM To: [email protected] Subject: RE: [NTSysADM] auto-renew cert This is a little bit of a stretch - I've never seen this error before. But look at the NotBefore and NotAfter dates on the installed certificate and the certificate in the CA and see if they match... From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Chenault Sent: Thursday, March 19, 2015 1:43 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] auto-renew cert Event ID 6, source CertficateServicesClient-AutoEnrollment Automatic certificate enrollment for local system failed (0x80070576) There is a time and/or date difference between the client and server. Someone else suggested w32tm. Tried that just now; as with net time showed the same time with a delta under one second. Did a w32tm /resync just in case. ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] auto-renew cert Date: Thu, 19 Mar 2015 17:32:28 +0000 /snark Because MS still commonly reuses libraries that display misleading information in error messages and event logs just like they always have? The auto renewal problem could be caused by a number of issues, hard to speculate without the error detail. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Chenault Sent: Wednesday, March 18, 2015 6:41 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] auto-renew cert Time was checked at a command prompt with net time. Also forced an update from the PDCe to be sure. That's why I'm asking. Why is the log showing an event for an error state that does not exist? On Mar 18, 2015, at 18:32, "Ken Schaefer" <[email protected]<mailto:[email protected]>> wrote: If the servers are showing the same time on the tray clock (e.g. 10AM) but are set to different time zones, then there will be a time mismatch between the two, because when converted to UTC, they are will be out by whatever the difference in time zone is. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Free Jr., Bob Sent: Thursday, 19 March 2015 12:15 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] auto-renew cert Neither have anything to do with w32time/NTP. Time protocols are based on UTC (Coordinated Universal Time), AKA GMT or Zulu time From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of J- P Sent: Wednesday, March 18, 2015 5:03 PM To: NT Subject: RE: [NTSysADM] auto-renew cert Maybe daylight savings time, or time zone? ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] auto-renew cert Date: Wed, 18 Mar 2015 16:39:47 -0700 So I have a member server complaining it can't auto-renew it's cert. According to the event it's because time and/or date are off between the client and the issuing CA. No, they're not. They are within 1 sec. They both update their time from the PDCe. Running "net time" on all three proves there is no issue whatsoever with date or time. I admit I have no clue how to troubleshoot an obviously incorrect event. ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________
