Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

no valid keys found

Russ Allbery eagle at
Mon Dec 31 21:08:58 PST 2012

YANG ChengFu <youngseph at> writes:

> my webdkc had been working for about 2 months without any problems,
> today I got the following error message from webkdc

>  [error] mod_webkdc: create_service_token_from_req:webauth_token_create
> failed: item not found while searching (no valid keys found) (12)
> [Tue Jan 01 04:30:21 2013] [notice] mod_webkdc: event=getTokens
> from= server=krb5:webauth at EXAMPLE.ORG user=<unknown>
> errorCode=7 errorMessage="token create failed"

This means that the keyring on the WebKDC doesn't have any keys that are
currently valid.

If you run wa_keyring -f <path> list on the path to the keyring on the
WebKDC (the one used by mod_webkdc), you'll see something like:

Path: keyring

id  Created              Valid after          Fingerprint
 0  2011-06-22 14:44:46  2011-06-21 14:44:46  b6dfdcdcd33a8064fc857db5e5ce843c

Take a look at the "Valid after" field.  You probably don't have any valid
keys in the keyring that have a "Valid after" date in the past.

Usually this happens because you've disabled automatic key rotation
(usually because you have multiple WebKDCs) by turning off
WebKdcKeyringAutoUpdate, but your wa_keyring cron job to rotate the keys
isn't correct.  Perhaps it's garbage-collecting all the valid keys but not
adding a new one?

Take a look at the section in the mod_webkdc manual on setting up multiple
WebKDCs for more details about how to run wa_keyring to maintain the

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list