On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote:
> Michael Gusek via FreeIPA-users wrote:
> > Hi Fraser,
> > 
> > at the moment, i can't provide this logfile, i've moved that back to
> > have only new log lines. But a new new logfile is not created ??? In my
> > old logfile i have some lines after switch to basic auth, but before
> > setting time to past:
> >
> The CA won't start with expired certs.
> I'd set the time back to the past and ensure that the CA comes up. The
> debug log in that case should tell you what is going on. Be sure that
> ntpd is stopped.
> Restarting certmonger should be sufficient to have it try renewal as it
> will see on startup that the certs need to be refreshed.
> rob
Further, have a look at `getcert list` output, or
`certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>`, to inspect
the Dogtag system certificates to work out their expiry dates.

Ensure that you restart IPA (`ipactl restart`) after setting the
clock back, so that services can reinitialise with certs that are
valid according to system time.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to