Michael Gusek wrote:
> Hello Rob,
> i can understand why CA won't start with expired certs. Actually my
> system date is a day before expiring (expiring date is 30 Jul 2017,
> system date now 29 Jul 2017), but CA won't start. How to "ensure that
> the CA comes up" ?

Ok, well the logs I responded to were from [07/Aug/2017:14:21:41].

ipactl is going to restart ntpd which would revert the time.

What I'd try is:

- ipactl stop
- service ntpd stop (to be sure)
- date <past>
- service pki-tomcatd@pki-tomcat.service start

To see if the CA came up:

curl http://`hostname`:8080/ca/ee/ca/getCertChain

If so then service certmonger restart


> Michael
> Am 08.08.2017 um 17:40 schrieb Rob Crittenden:
>> Michael Gusek via FreeIPA-users wrote:
>>> Hi Fraser,
>>> at the moment, i can't provide this logfile, i've moved that back to
>>> have only new log lines. But a new new logfile is not created ??? In my
>>> old logfile i have some lines after switch to basic auth, but before
>>> setting time to past:
>> The CA won't start with expired certs.
>> I'd set the time back to the past and ensure that the CA comes up. The
>> debug log in that case should tell you what is going on. Be sure that
>> ntpd is stopped.
>> Restarting certmonger should be sufficient to have it try renewal as it
>> will see on startup that the certs need to be refreshed.
>> rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to