Cannot create cert chain: certificate signature failure
Russ Allbery
eagle at eyrie.org
Sat Sep 5 02:12:55 EDT 2015
Russ Allbery <eagle at eyrie.org> writes:
> I had working PKINIT in my test MIT Kerberos realm using certificates
> issued by Heimdal, but now all attempts to authenticate with PKINIT are
> just failing with the following error in the KDC syslog:
> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EYRIE.ORG for krbtgt/EYRIE.ORG at EYRIE.ORG, Cannot create cert chain: certificate signature failure
> Any idea what's going on? This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?
> The key piece of information is probably that the certificates (CA, KDC,
> and client) were created with Heimdal hxtool.
> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is
> a much nicer interface. And I'm not sure why it wouldn't work,
> particularly since it was previously working just fine (with the same
> server software version, although an older MIT Kerberos client version).
I should have added:
Client: MIT Kerberos 1.13.2
Server: Tried both MIT Kerberos 1.10.1 and 1.13.2
With 1.10.1, I got the infamous "Cannot allocate memory" error with
PKINIT, but got the "certificate signature failure" error when trying to
use a client certificate.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list