Roderick Johnstone via FreeIPA-users wrote: > On 16/01/2018 12:14, Roderick Johnstone via FreeIPA-users wrote: > Hi Rob > > This is all on my first master server. > > I put the clock back to when the certificates that O restore form backup > are all valid. > > I restored the databases in /etc/httpd/alias and > /etc/pki/pki-tomcat/alias from the last good backup I had. > > I also restored the CS.cfg file from backup. > > I updated the trusts in /etc/pki/pki-tomcat/alias for > caSigningCert cert-pki-ca > to match what is in section 5 of: > https://access.redhat.com/solutions/643753 This was previously: > caSigningCert cert-pki-ca CTu,u,u > for some reason. > > I stopped the certmonger service and run the certmonger command you gave > to start verbose logging. > > I was able to start all the ipa services after running: > pki-server subsystem-enable ca > (this seems to become disabled when the tomcatd service cannot start. > > I ran getcert resubmit -i <requestid> for the expiring certificates. > > The first one I tried (ocspSigningCert) renewed but gets an odd Subject. > It includes the hostname of one of my replica servers. > > The other certificates have not renewed. > > As you said, there is a large amount of info in the verbose certmonger > debug logs, but it is not immediately obvious to me what has gone wrong, > except that there are some instances of: > Internal error > > Would you be prepared to have a look at the log file off-list (3.3MB > file, uncompressed) to see if it means more to you.
Sure, feel free to send it to me directly. rob _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org