Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'),
not the FreeIPA DIT.  You should check on a CA replica.

I don't have a replica right now (I'm in the middle of a disaster!)...

Some more detail: setting system date in an interval in which all certificates are valid, certmonger leave requests in "SUBMITTING" state. Outside this interval requests go in "CA_UNREACHABLE" state (post to https://$SERVER/ipa/xml gives http 500).

All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried because services certificates weren't updated by certmonger.

Now the question is: is there a way to rollback this operation in order to perform the date-in-the-past trick?

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to