[37215] in Kerberos
Cannot create cert chain: certificate signature failure
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Sep 5 01:57:59 2015
From: Russ Allbery <eagle@eyrie.org>
To: kerberos@mit.edu
Date: Fri, 04 Sep 2015 22:57:41 -0700
Message-ID: <877fo54dd6.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I had working PKINIT in my test MIT Kerberos realm using certificates
issued by Heimdal, but now all attempts to authenticate with PKINIT are
just failing with the following error in the KDC syslog:
Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS@EYRIE.ORG for krbtgt/EYRIE.ORG@EYRIE.ORG, Cannot create cert chain: certificate signature failure
Any idea what's going on? This appears to be some failure inside OpenSSL,
but it looks like absolutely no information about the error is actually
logged anywhere?
The key piece of information is probably that the certificates (CA, KDC,
and client) were created with Heimdal hxtool.
I was previously successful issuing certs with OpenSSL directly and the
configuration from the wiki, but I'd really rather use hxtool, which is a
much nicer interface. And I'm not sure why it wouldn't work, particularly
since it was previously working just fine (with the same server software
version, although an older MIT Kerberos client version).
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
