Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Rob Crittenden]

Anthony Cheng wrote:

More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias).  So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.


You're fixing the wrong place. Apache is up and serving which is how you 
are getting Not Found. It is dogtag that isn't starting for some reason. 
Maybe Endi has some ideas.


rob



So it went from this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
ipaCert   u,u,u
sample.NET IPA CA  CT,C,C
ipaCert   u,u,u
Signing-Certu,u,u
Server-Cert u,u,u

to this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCertu,u,u
Server-Cert u,u,u
sample.NET IPA CA  CT,C,C
Signing-Certu,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
 wrote:

On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:

Anthony Cheng wrote:


Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working.  The article is listed
as "Solution in Progress".

[root@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).



Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.

rob


selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[root@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
[root@test pki-ca]#
[root@test pki-ca]#

[root@test pki-ca]# ll * | grep self
-rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
selftests.log.20150407143526
-rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
selftests.log.20150630163924
-rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
selftests.log.20151024101159

 From debug log I see some error messages:

[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
 at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias).  So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.

So it went from this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
ipaCert   u,u,u
sample.NET IPA CA  CT,C,C
ipaCert   u,u,u
Signing-Certu,u,u
Server-Cert u,u,u

to this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCertu,u,u
Server-Cert u,u,u
sample.NET IPA CA  CT,C,C
Signing-Certu,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
 wrote:
> On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:
>> Anthony Cheng wrote:
>>>
>>> Small update, I found an article on the RH solution library
>>> (https://access.redhat.com/solutions/2020223) that has the same error
>>> code that I am getting and I followed the steps with certutil to update
>>> the cert attributes but it is still not working.  The article is listed
>>> as "Solution in Progress".
>>>
>>> [root@test ~]# getcert list | more
>>>
>>> Number of certificates and requests being tracked: 7.
>>>
>>> Request ID '20111214223243':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server.Certificate operation cannot be comp
>>>
>>> leted: Unable to communicate with CMS (Not Found)).
>>
>>
>> Not Found means the CA didn't start. You need to examine the debug and
>> selftest logs to determine why.
>>
>> rob
>
> selftests.log is empty; there are entries for other time but not for
> the test to when I set the clock to renew certs.
>
> [root@test pki-ca]# clock
> Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
> [root@test pki-ca]#
> [root@test pki-ca]#
>
> [root@test pki-ca]# ll * | grep self
> -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
> -rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
> selftests.log.20150407143526
> -rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
> selftests.log.20150630163924
> -rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
> selftests.log.20150831160735
> -rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
> selftests.log.20151024101159
>
> From debug log I see some error messages:
>
> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>
> Full log:
>
> [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
> [28/Jan/2016:21:09:02][main]: 
> [28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
> [28/Jan/2016:21:09:02][main]: 
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_STARTUP
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_SHUTDOWN
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_POLICY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CRL_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_OCSP_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
> [28/Jan/2016:21:09:02][main]: LogFile: log event type 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:
> Anthony Cheng wrote:
>>
>> Small update, I found an article on the RH solution library
>> (https://access.redhat.com/solutions/2020223) that has the same error
>> code that I am getting and I followed the steps with certutil to update
>> the cert attributes but it is still not working.  The article is listed
>> as "Solution in Progress".
>>
>> [root@test ~]# getcert list | more
>>
>> Number of certificates and requests being tracked: 7.
>>
>> Request ID '20111214223243':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.Certificate operation cannot be comp
>>
>> leted: Unable to communicate with CMS (Not Found)).
>
>
> Not Found means the CA didn't start. You need to examine the debug and
> selftest logs to determine why.
>
> rob

selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[root@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
[root@test pki-ca]#
[root@test pki-ca]#

[root@test pki-ca]# ll * | grep self
-rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
selftests.log.20150407143526
-rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
selftests.log.20150630163924
-rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
selftests.log.20151024101159

>From debug log I see some error messages:

[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_SIGNED_AUDIT
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_ENCRYPTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_AGENT_LOGIN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_GEN_ASYMMETRIC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
NON_PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_REQUEST_PROCESSED

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Rob Crittenden]

Anthony Cheng wrote:

Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working.  The article is listed
as "Solution in Progress".

[root@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).


Not Found means the CA didn't start. You need to examine the debug and 
selftest logs to determine why.


rob



stuck: yes

key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi

cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'

certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate

DB'

CA: IPA

issuer: CN=Certificate Authority,O=SAMPLE.NET 

subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET


expires: 2016-01-29 14:09:46 UTC

eku: id-kp-serverAuth

pre-save command:

post-save command:

track: yes

auto-renew: yes



On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
> wrote:

On Mon, May 2, 2016 at 9:54 AM Rob Crittenden > wrote:

Anthony Cheng wrote:
 > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden

 > >> wrote:
 >
 > Anthony Cheng wrote:
 >  > OK so I made process on my cert renew issue; I was
able to get kinit
 >  > working so I can follow the rest of the steps here
 >  > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
 >  >
 >  > However, after using
 >  >
 >  > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
 > password
 >  >
 >  > and restarting apache (/sbin/service httpd restart),
resubmitting 3
 >  > certs (ipa-getcert resubmit -i ) and restarting
IPA (resubmit
 > -i )
 >  > (/sbin/service ipa restart), I still see:
 >  >
 >  > [root@test ~]# ipa-getcert list | more
 >  > Number of certificates and requests being tracked: 8.
 >  > Request ID '20111214223243':
 >  >  status: CA_UNREACHABLE
 >  >  ca-error: Server failed request, will retry:
4301 (RPC
 > failed
 >  > at server.  Certificate operation cannot be compl
 >  > eted: Unable to communicate with CMS (Not Found)).
 >
 > IPA proxies requests to the CA through Apache. This means
that while
 > tomcat started ok it didn't load the dogtag CA
application, hence the
 > Not Found.
 >
 > Check the CA debug and selftest logs to see why it failed
to start
 > properly.
 >
 > [ snip ]
 >
 > Actually after a reboot that error went away and I just get
this error
 > instead "ca-error: Server failed request, will retry: -504
(libcurl
 > failed to execute the HTTP POST transaction. Peer certificate
cannot be
 > auth enticated with known CA certificates)." from "getcert list"
 >
 > Result of service ipa restart is interesting since it shows
today's time
 > when I already changed date/time/disable NTP so somehow the
system still
 > know today's time.
 >
 > PKI-IPA...[02/May/2016:13:26:10 +] - SSL alert:
 > CERT_VerifyCertificateNow: verify certificate failed for cert
 > Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
 > Runtime error -8181 - Peer's Certificate has expired.)

Hard to say. I'd confirm that there is no time syncing service
running,
ntp or otherwise.


I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.

I did still see this error message:

ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))

I tried the step http://www.freeipa.org/page/Troubleshooting with

certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
  

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Rob Crittenden]

Anthony Cheng wrote:

On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden > wrote:

Anthony Cheng wrote:
 > OK so I made process on my cert renew issue; I was able to get kinit
 > working so I can follow the rest of the steps here
 > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
 >
 > However, after using
 >
 > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
password
 >
 > and restarting apache (/sbin/service httpd restart), resubmitting 3
 > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit
-i )
 > (/sbin/service ipa restart), I still see:
 >
 > [root@test ~]# ipa-getcert list | more
 > Number of certificates and requests being tracked: 8.
 > Request ID '20111214223243':
 >  status: CA_UNREACHABLE
 >  ca-error: Server failed request, will retry: 4301 (RPC
failed
 > at server.  Certificate operation cannot be compl
 > eted: Unable to communicate with CMS (Not Found)).

IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.

Check the CA debug and selftest logs to see why it failed to start
properly.

[ snip ]

Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot be
auth enticated with known CA certificates)." from "getcert list"

Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.

PKI-IPA...[02/May/2016:13:26:10 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)


Hard to say. I'd confirm that there is no time syncing service running, 
ntp or otherwise.




 > Would really greatly appreciate any help on this.
 >
 > Also I noticed after I do ldapmodify of usercertificate binary
data with
 >
 > add: usercertificate;binary
 > usercertificate;binary: !@#$@!#$#@$

You really pasted in binary? Or was this base64-encoded data?

I wonder if there is a problem in the wiki. If this is really a binary
value you should start with a DER-encoded cert and load it using
something like:

dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der

You can use something like openssl x509 to switch between PEM and DER
formats.

I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.

rob


Yes the wiki stated binary, the result of:
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W

shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...

But the actual data is from a PEM though.


Ok. So I looked at my CA data and it doesn't use the binary subtype, so 
my entries look like:


userCertificate:: MIID

It might make a difference if dogtag is looking for the subtype or not.

rob



 >
 > Then I re-run
 >
 > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
-b uid=ipara,ou=People,o=ipaca
 >
 > I see 2 entries for usercertificate;binary (before modify there
was only
 > 1) but they are duplicate and NOT from data that I added.  That seems
 > incorrect to me.
 >
 >
 > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
 > 
>> wrote:
 >
 > klist is actually empty; kinit admin fails.  Sounds like then
 > getcert resubmit has a dependency on kerberoes.  I can get a
backup
 > image that has a valid ticket but it is only good for 1 day (and
 > dated pasted the cert expire).
 >
 > Also I had asked awhile back about whether there is dependency on
 > DIRSRV to renew the cert; didn't get any response but I suspect
 > there is a dependency.
 >
 > Regarding the clock skew, I found out from /var/log/message that
 > shows me this so it may be from named:
 >
 > Jan 28 14:10:42 test named[2911]: Failed to init credentials
(Clock
 > skew too great)
 > Jan 28 14:10:42 test named[2911]: loading configuration: failure
 > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
 > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
 > failure.  Minor code may provide more information (Creden
 > tials cache file '/tmp/krb5cc_496' not 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden  wrote:

> Anthony Cheng wrote:
> > OK so I made process on my cert renew issue; I was able to get kinit
> > working so I can follow the rest of the steps here
> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> >
> > However, after using
> >
> > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
> >
> > and restarting apache (/sbin/service httpd restart), resubmitting 3
> > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i
> )
> > (/sbin/service ipa restart), I still see:
> >
> > [root@test ~]# ipa-getcert list | more
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> >  status: CA_UNREACHABLE
> >  ca-error: Server failed request, will retry: 4301 (RPC failed
> > at server.  Certificate operation cannot be compl
> > eted: Unable to communicate with CMS (Not Found)).
>
> IPA proxies requests to the CA through Apache. This means that while
> tomcat started ok it didn't load the dogtag CA application, hence the
> Not Found.
>
> Check the CA debug and selftest logs to see why it failed to start
> properly.
>
> [ snip ]
>
> Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be auth
enticated with known CA certificates)." from "getcert list"

Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.

PKI-IPA...[02/May/2016:13:26:10 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)


> > Would really greatly appreciate any help on this.
> >
> > Also I noticed after I do ldapmodify of usercertificate binary data with
> >
> > add: usercertificate;binary
> > usercertificate;binary: !@#$@!#$#@$
>
> You really pasted in binary? Or was this base64-encoded data?
>
> I wonder if there is a problem in the wiki. If this is really a binary
> value you should start with a DER-encoded cert and load it using
> something like:
>
> dn: uid=ipara,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary:< file:///path/to/cert.der
>
> You can use something like openssl x509 to switch between PEM and DER
> formats.
>
> I have a vague memory that dogtag can deal with a multi-valued
> usercertificate attribute.
>
> rob
>
>
Yes the wiki stated binary, the result of:
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W

shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...

But the actual data is from a PEM though.


> >
> > Then I re-run
> >
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
> uid=ipara,ou=People,o=ipaca
> >
> > I see 2 entries for usercertificate;binary (before modify there was only
> > 1) but they are duplicate and NOT from data that I added.  That seems
> > incorrect to me.
> >
> >
> > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> > >
> wrote:
> >
> > klist is actually empty; kinit admin fails.  Sounds like then
> > getcert resubmit has a dependency on kerberoes.  I can get a backup
> > image that has a valid ticket but it is only good for 1 day (and
> > dated pasted the cert expire).
> >
> > Also I had asked awhile back about whether there is dependency on
> > DIRSRV to renew the cert; didn't get any response but I suspect
> > there is a dependency.
> >
> > Regarding the clock skew, I found out from /var/log/message that
> > shows me this so it may be from named:
> >
> > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
> > skew too great)
> > Jan 28 14:10:42 test named[2911]: loading configuration: failure
> > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
> > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
> > failure.  Minor code may provide more information (Creden
> > tials cache file '/tmp/krb5cc_496' not found)
> >
> > I don't have a krb5cc_496 file (since klist is empty), so sounds to
> > me I need to get a kerberoes ticket before going any further.  Also
> > is the file /etc/krb5.keytab access/modification time important?  I
> > had changed time back to before the cert expiration date and reboot
> > and try renew but the error message about clock skew is still
> > there.  That seems strange.
> >
> > Lastly, as a absolute last resort, can I regenerate a new cert
> > myself?
> >
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
> >
> > [root@test /]# klist
> > klist: No credentials 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Rob Crittenden]

Anthony Cheng wrote:

OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)

However, after using

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

and restarting apache (/sbin/service httpd restart), resubmitting 3
certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i )
(/sbin/service ipa restart), I still see:

[root@test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).


IPA proxies requests to the CA through Apache. This means that while 
tomcat started ok it didn't load the dogtag CA application, hence the 
Not Found.


Check the CA debug and selftest logs to see why it failed to start properly.

[ snip ]


Would really greatly appreciate any help on this.

Also I noticed after I do ldapmodify of usercertificate binary data with

add: usercertificate;binary
usercertificate;binary: !@#$@!#$#@$


You really pasted in binary? Or was this base64-encoded data?

I wonder if there is a problem in the wiki. If this is really a binary 
value you should start with a DER-encoded cert and load it using 
something like:


dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der

You can use something like openssl x509 to switch between PEM and DER 
formats.


I have a vague memory that dogtag can deal with a multi-valued 
usercertificate attribute.


rob



Then I re-run

ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b 
uid=ipara,ou=People,o=ipaca

I see 2 entries for usercertificate;binary (before modify there was only
1) but they are duplicate and NOT from data that I added.  That seems
incorrect to me.


On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
> wrote:

klist is actually empty; kinit admin fails.  Sounds like then
getcert resubmit has a dependency on kerberoes.  I can get a backup
image that has a valid ticket but it is only good for 1 day (and
dated pasted the cert expire).

Also I had asked awhile back about whether there is dependency on
DIRSRV to renew the cert; didn't get any response but I suspect
there is a dependency.

Regarding the clock skew, I found out from /var/log/message that
shows me this so it may be from named:

Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
skew too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)

I don't have a krb5cc_496 file (since klist is empty), so sounds to
me I need to get a kerberoes ticket before going any further.  Also
is the file /etc/krb5.keytab access/modification time important?  I
had changed time back to before the cert expiration date and reboot
and try renew but the error message about clock skew is still
there.  That seems strange.

Lastly, as a absolute last resort, can I regenerate a new cert
myself?

https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html

[root@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@test /]# service ipa start
Starting Directory Service
Starting dirsrv:
 PKI-IPA... [  OK  ]
 sample-NET...  [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting DNS Service
Starting named:[FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping named:[  OK  ]
Stopping httpd:[  OK  ]
Stopping pki-ca:   [  OK  ]
Shutting down dirsrv:
 PKI-IPA... [  OK  ]
 sample-NET...  [  OK  ]
Aborting ipactl
[root@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@test /]# service ipa 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

I make further progress, I managed to get it to be in NEED_TO_SUBMIT state
again after a reboot and this time klist and clock looks good.  However
getting this error while restarting IPA,

Starting dirsrv:
 PKI-IPA...[29/Apr/2016:21:41:48 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

The error time is different than the time I changed to; after search for
all files on the computer and found some files that has that time:
var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo
/var/tmp/DNS_25

I changed access time on them and restart and got the correct time in error
log:
Starting dirsrv:
PKI-IPA...[28/Sep/2014:14:58:15 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
   [  OK  ]
sample-NET...[28/Sep/2014:14:58:16 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

In looking at server cert, there is actually 2 and one is expired no matter
what time I set it to due to a time lapse between them; seems to indicate
that I need to remove one of them:

[root@test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep
'Issuer\|Not\|Subject\|Name'
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sun Aug 02 14:09:45 2015
Not After : Fri Jan 29 14:09:45 2016
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sat May 03 00:20:37 2014
Not After : Thu Oct 30 00:20:37 2014
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID

On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng 
wrote:

> OK so I made process on my cert renew issue; I was able to get kinit
> working so I can follow the rest of the steps here (
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>
> However, after using
>
> ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
>
> and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
> (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i )
> (/sbin/service ipa restart), I still see:
>
> [root@test ~]# ipa-getcert list | more
>
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certific
>
> ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certificate D
> B'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:46 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
>
>  DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)

However, after using

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
(ipa-getcert resubmit -i ) and restarting IPA (resubmit -i )
(/sbin/service ipa restart), I still see:

[root@test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certific
ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate D
B'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
 DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinf
ile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes


Here are other relevant output:

root@test ~]# /sbin/service ipa restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Starting dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:   [  OK  ]
Starting Kerberos 5 KDC:   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:  [  OK  ]
Starting Kerberos 5 Admin Server:  [  OK  ]
Restarting DNS Service
Stopping named: .  [  OK  ]
Starting named:[  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:[  OK  ]
Starting ipa_memcached:[  OK  ]
Restarting HTTP Service
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]
Restarting CA Service
Stopping pki-ca:   [  OK  ]
Starting pki-ca:   [  OK  ]

[root@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: t...@sample.net

Valid starting ExpiresService principal
01/28/16 14:05:01  01/29/16 14:05:01  krbtgt/sample@sample.net
01/28/16 14:08:48  01/29/16 14:05:01  HTTP/test.sample@sample.net

[root@test ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

[root@caer ~]# /sbin/service httpd restart
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]


Would 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Anthony Cheng]

klist is actually empty; kinit admin fails.  Sounds like then getcert
resubmit has a dependency on kerberoes.  I can get a backup image that has
a valid ticket but it is only good for 1 day (and dated pasted the cert
expire).

Also I had asked awhile back about whether there is dependency on DIRSRV to
renew the cert; didn't get any response but I suspect there is a dependency.

Regarding the clock skew, I found out from /var/log/message that shows me
this so it may be from named:

Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)

I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
need to get a kerberoes ticket before going any further.  Also is the file
/etc/krb5.keytab access/modification time important?  I had changed time
back to before the cert expiration date and reboot and try renew but the
error message about clock skew is still there.  That seems strange.

Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html

[root@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@test /]# service ipa start
Starting Directory Service
Starting dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting DNS Service
Starting named:[FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping named:[  OK  ]
Stopping httpd:[  OK  ]
Stopping pki-ca:   [  OK  ]
Shutting down dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Aborting ipactl
[root@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@test /]# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped

On Thu, Apr 28, 2016 at 3:21 AM David Kupka  wrote:

> On 27/04/16 21:54, Anthony Cheng wrote:
> > Hi list,
> >
> > I am trying to renew expired certificates following the manual renewal
> procedure
> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even
> with
> > resetting the system/hardware clock to a time before expires, I am
> getting the
> > error "ca-error: Error setting up ccache for local "host" service using
> default
> > keytab: Clock skew too great."
> >
> > With NTP disable and clock reset why would it complain about clock skew
> and how
> > does it even know about the current time?
> >
> > [root@test certs]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> >  status: MONITORING
> >  ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=sample.NET
> >  subject: CN=test.sample.net  >,O=sample.NET
> >  expires: 2016-01-29 14:09:46 UTC
> >  eku: id-kp-serverAuth
> >  pre-save command:
> >  post-save command:
> >  track: yes
> >  auto-renew: yes
> > Request ID '20111214223300':
> >  status: MONITORING
> >  ca-error: Error setting up ccache for local "host" service using
> > default keytab: Clock skew too great.
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=sample.NET
> >  

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[Sumit Bose]

On Wed, Apr 27, 2016 at 07:54:57PM +, Anthony Cheng wrote:
> Hi list,
> 
> I am trying to renew expired certificates following the manual renewal
> procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
> even with resetting the system/hardware clock to a time before expires, I
> am getting the error "ca-error: Error setting up ccache for local "host"
> service using default keytab: Clock skew too great."

This is a Kerberos error message which it not related to the certificate
lifetime. Please try to make sure that client and server use the same
time.

bye,
Sumit

> 
> With NTP disable and clock reset why would it complain about clock skew and
> how does it even know about the current time?
> 
> [root@test certs]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using
> default keytab: Clock skew too great.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
> expires: 2016-01-29 14:09:46 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using
> default keytab: Clock skew too great.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using
> default keytab: Clock skew too great.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
> ".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> '
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=CA Audit,O=sample.NET
> expires: 2017-10-13 14:10:49 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to "
> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
> ".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664
> '
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=OCSP Subsystem,O=sample.NET
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: 

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

[David Kupka]

On 27/04/16 21:54, Anthony Cheng wrote:

Hi list,

I am trying to renew expired certificates following the manual renewal procedure
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with
resetting the system/hardware clock to a time before expires, I am getting the
error "ca-error: Error setting up ccache for local "host" service using default
keytab: Clock skew too great."

With NTP disable and clock reset why would it complain about clock skew and how
does it even know about the current time?

[root@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
 status: MONITORING
 ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=test.sample.net ,O=sample.NET
 expires: 2016-01-29 14:09:46 UTC
 eku: id-kp-serverAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20111214223300':
 status: MONITORING
 ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate
DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=test.sample.net ,O=sample.NET
 expires: 2016-01-29 14:09:45 UTC
 eku: id-kp-serverAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20111214223316':
 status: MONITORING
 ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=test.sample.net ,O=sample.NET
 expires: 2016-01-29 14:09:45 UTC
 eku: id-kp-serverAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20130519130741':
 status: NEED_CSR_GEN_PIN
 ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true;.
 stuck: yes
 key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
 certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=CA Audit,O=sample.NET
 expires: 2017-10-13 14:10:49 UTC
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20130519130742':
 status: NEED_CSR_GEN_PIN
 ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true;.
 stuck: yes
 key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
 certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=sample.NET
 subject: CN=OCSP Subsystem,O=sample.NET
 expires: 2017-10-13 14:09:49 UTC
 eku: id-kp-OCSPSigning
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
 track: yes
 auto-renew: yes
Request ID '20130519130743':
 status: NEED_CSR_GEN_PIN
 ca-error: Internal error: no response to