Umarzuki Mochlis wrote:
> 2018-02-14 4:55 GMT+08:00 Rob Crittenden <rcrit...@redhat.com>:
>> Umarzuki Mochlis wrote:
>>> 2018-02-13 22:59 GMT+08:00 Rob Crittenden <rcrit...@redhat.com>:
>>>> Umarzuki Mochlis via FreeIPA-users wrote:
>>>>> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
>>>>> list" after I resubmit cert renew "get-cert resubmit -i ID"
>>>>
>>>> Which request is stuck? Can you provide the output of ipa-getcert list
>>>> -i ID?
>>>>
>>>> rob
>>>
>>> these request still 'submitting' since service started. I resubmit
>>> them one or two years ago.
>>
>> The certs are certainly very expired at this point. Do these exist in
>> reality anymore?
>>
>> # certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
>> # certutil -L -d /etc/httpd/alias
>> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>>
>> rob
>>
> 
> yes
> 
> [root@ipa ~]# certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert                                                  u,u,u
> DOMAIN.COM IPA CA                                            CT,,C
> [root@ipa ~]# certutil -L -d /etc/httpd/alias
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> Signing-Cert                                                 u,u,u
> DOMAIN.COM IPA CA                                            CT,C,C
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> [root@ipa ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert
> 

Let me circle back around. So your certs are currently expired and not
working? I assume then that your IPA master is basically dead, and has
been for 2 years?

Your best bet would be to stop ntpd, go back in time, restart httpd,
tomcat andcertmonger to kick off renewal again. Watch the syslog for any
messages from certmonger.

Assuming the certs all get renewed return to current time and run ipactl
restart.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to