On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote:
> Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
> > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'),
> > not the FreeIPA DIT.  You should check on a CA replica.
> > 
> 
> I don't have a replica right now (I'm in the middle of a disaster!)...
> 
"CA replica" just means any IPA master that has the Dogtag CA
installed.

You have a Dogtag CA.  That CA uses an LDAP database, which has
basedn `o=ipaca'.  That database should have the entry I indicated,
whose `userCertificate' attribute we are interested in.

> Some more detail: setting system date in an interval in which all
> certificates are valid, certmonger leave requests in "SUBMITTING" state.
> Outside this interval requests go in "CA_UNREACHABLE" state (post to
> https://$SERVER/ipa/xml gives http 500).
> 
> All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried
> because services certificates weren't updated by certmonger.
> 
> Now the question is: is there a way to rollback this operation in order to
> perform the date-in-the-past trick?
> 
There's no simple rollback, but I'm confident the situation is
recoverable.  It will require a methodical examination of the state
of the system.  This will take time (especially over email, across
timezones).

Here are some notes I made about how cert renewal works in FreeIPA,
what the different certs are used for, things that have to line up
and troubleshooting ideas.  It is not comprehensive but perhaps it
will help.
https://github.com/frasertweedale/talks/blob/master/2017-11-01-ipa-cert-renewal/talk.rst

Cheers,
Fraser

> TIA,
> Giulio
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to