[37216] in Kerberos
Re: Cannot create cert chain: certificate signature failure
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Sep 5 02:13:17 2015
From: Russ Allbery <eagle@eyrie.org>
To: kerberos@mit.edu
In-Reply-To: <877fo54dd6.fsf@hope.eyrie.org> (Russ Allbery's message of "Fri,
04 Sep 2015 22:57:41 -0700")
Date: Fri, 04 Sep 2015 23:12:55 -0700
Message-ID: <87zj112y3c.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <eagle@eyrie.org> writes:
> I had working PKINIT in my test MIT Kerberos realm using certificates
> issued by Heimdal, but now all attempts to authenticate with PKINIT are
> just failing with the following error in the KDC syslog:
> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS@EYRIE.ORG for krbtgt/EYRIE.ORG@EYRIE.ORG, Cannot create cert chain: certificate signature failure
> Any idea what's going on? This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?
> The key piece of information is probably that the certificates (CA, KDC,
> and client) were created with Heimdal hxtool.
> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is
> a much nicer interface. And I'm not sure why it wouldn't work,
> particularly since it was previously working just fine (with the same
> server software version, although an older MIT Kerberos client version).
I should have added:
Client: MIT Kerberos 1.13.2
Server: Tried both MIT Kerberos 1.10.1 and 1.13.2
With 1.10.1, I got the infamous "Cannot allocate memory" error with
PKINIT, but got the "certificate signature failure" error when trying to
use a client certificate.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos