Roderick Johnstone via FreeIPA-users wrote:
> On 16/01/2018 12:14, Roderick Johnstone via FreeIPA-users wrote:
> Hi Rob
> This is all on my first master server.
> I put the clock back to when the certificates that O restore form backup
> are all valid.
> I restored the databases in /etc/httpd/alias and
> /etc/pki/pki-tomcat/alias from the last good backup I had.
> I also restored the CS.cfg file from backup.
> I updated the trusts in /etc/pki/pki-tomcat/alias for
> caSigningCert cert-pki-ca
> to match what is in section 5 of:
> This was previously:
> caSigningCert cert-pki-ca                                    CTu,u,u
> for some reason.
> I stopped the certmonger service and run the certmonger command you gave
> to start verbose logging.
> I was able to start all the ipa services after running:
> pki-server subsystem-enable ca
> (this seems to become disabled when the tomcatd service cannot start.
> I ran getcert resubmit -i <requestid> for the expiring certificates.
> The first one I tried (ocspSigningCert) renewed but gets an odd Subject.
> It includes the hostname of one of my replica servers.
> The other certificates have not renewed.
> As you said, there is a large amount of info in the verbose certmonger
> debug logs, but it is not immediately obvious to me what has gone wrong,
> except that there are some instances of:
> Internal error
> Would you be prepared to have a look at the log file off-list (3.3MB
> file, uncompressed) to see if it means more to you.

Sure, feel free to send it to me directly.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to