Michael Gusek wrote: > Hello Rob, > > i can understand why CA won't start with expired certs. Actually my > system date is a day before expiring (expiring date is 30 Jul 2017, > system date now 29 Jul 2017), but CA won't start. How to "ensure that > the CA comes up" ?
Ok, well the logs I responded to were from [07/Aug/2017:14:21:41]. ipactl is going to restart ntpd which would revert the time. What I'd try is: - ipactl stop - service ntpd stop (to be sure) - date <past> - service email@example.com start To see if the CA came up: curl http://`hostname`:8080/ca/ee/ca/getCertChain If so then service certmonger restart rob > > Michael > > > Am 08.08.2017 um 17:40 schrieb Rob Crittenden: >> Michael Gusek via FreeIPA-users wrote: >>> Hi Fraser, >>> >>> at the moment, i can't provide this logfile, i've moved that back to >>> have only new log lines. But a new new logfile is not created ??? In my >>> old logfile i have some lines after switch to basic auth, but before >>> setting time to past: >>> >> The CA won't start with expired certs. >> >> I'd set the time back to the past and ensure that the CA comes up. The >> debug log in that case should tell you what is going on. Be sure that >> ntpd is stopped. >> >> Restarting certmonger should be sufficient to have it try renewal as it >> will see on startup that the certs need to be refreshed. >> >> rob > > _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org