Jokinen Eemeli via FreeIPA-users wrote: > Hi! > > -- > certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep > "Not Before" > Not Before: Wed Feb 21 09:58:22 2018 > certutil -L -d /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before" > Not Before: Sun Mar 04 09:58:32 2018 > certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before" > Not Before: Sun Mar 04 09:58:23 2018 > getcert list | grep "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > -- > > So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using > https://access.redhat.com/solutions/3357261 as a guideline. > > -- > systemctl stop ntpd > date 031603162018 > Fri Mar 16 03:16:00 EET 2018 > systemctl restart certmonger > certutil -d /var/lib/pki/pki-tomcat/alias/ -L > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > getcert list | grep "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > getcert list |grep -B 8 "expires: 2018-03" | grep ID > Request ID '20160331084233': > Request ID '20160331084234': > Request ID '20180611071929': > Request ID '20180615083528': > ipa-getcert resubmit -i 20160331084233 -v > Resubmitting "20160331084233" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20160331084234 -v > Resubmitting "20160331084234" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20180611071929 -v > Resubmitting "20180611071929" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20180615083528 -v > Resubmitting "20180615083528" to "dogtag-ipa-ca-renew-agent". > journalctl -n 20 -u certmonger > -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 08:04:17 > EEST. -- > Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping > Certificate monitoring and PKI enrollment... > Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting > Certificate monitoring and PKI enrollment... > Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started > Certificate monitoring and PKI enrollment. > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI > client step 1 > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI > client step 1 > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI > client step 1 > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI > client step 1 > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI > client step 2 > Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5103]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5103]: dogtag-ipa-renew-agent returned 2 > Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5228]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5228]: dogtag-ipa-renew-agent returned 2 > Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5256]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5256]: dogtag-ipa-renew-agent returned 2 > Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5296]: dogtag-ipa-renew-agent returned 2 > Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5322]: dogtag-ipa-renew-agent returned 2 > Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to > dogtag-ipa-renew-agent > Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi > dogtag-ipa-ca-renew-agent-submit[5676]: dogtag-ipa-renew-agent returned 2 > getcert list | grep "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > date > Fri Mar 16 03:26:09 EET 2018 > -- > > I waited for some time to be sure, no luck on my opinion: > > -- > date > Fri Mar 16 03:52:24 EET 2018 > getcert list |grep expires > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > -- > > Also did steps 6 & 8 on the guideline page, certificates match. However step > 7 fails to error 500. > > Still wondering if I'm missing some kind of cert from certmonger since the > site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 > certificates on "getcert list", I only have 8. However if I try to do the > tracking requests again as suggested by RHEL, I get no new certificates for > my list.
Hard to know without seeing the list of certs. Are you restarting dogtag, Apache and 389-ds when setting the date back? That is necessary as well. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/SAERGCJDSH4HIEBHKFEGLJ7MWK76PB2X/
