Hi,
I have an issue with my freeipa server.
The certificates expired and I can't resubmit.
I put the date before the expiration of the certs.
The result of ipa-getcert list :
Number of certificates and requests being tracked: 8. Request ID '20150805183502': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :35:02 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183539': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :35:39 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183647': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :36:47 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
If someone can help me with this issue ? It will be very helpful
Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING
FreeIpa V3.
Thank you
Julien Honore
On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:
Hi,
I have an issue with my freeipa server.
The certificates expired and I can't resubmit.
I put the date before the expiration of the certs.
The result of ipa-getcert list :
Number of certificates and requests being tracked: 8. Request ID '20150805183502': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 <callto:2017-08-05 18>:35:02 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183539': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 <callto:2017-08-05 18>:35:39 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183647': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 <callto:2017-08-05 18>:36:47 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
If someone can help me with this issue ? It will be very helpful
Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING
FreeIpa V3.
Thank you
Julien Honore
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
I have very little experience with IPA v3, but let's try anyway... If things didn't change too much, certmonger's IPA helper is using /etc/krb5.keytab to connect to IPA server. Can you check if this keytab is still valid using $ sudo kinit -kt /etc/krb5.keytab
If the operation fails, this is probably the root cause of your issue. The utility ipa-getkeytab will allow you to get the host keytab (with the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).
HTH, Flo
freeipa-users@lists.fedorahosted.org