> On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote: > Hi, > > you need to carefully pick the date in the past. At that given date, all > your certs must be valid (ie notbefore < date < notafter). It's likely > that you choose a date before the notbefore date of some of the certs. > > flo
Hi flo, Still working on this and I'm unsure exactly what to do next. Here are the Not Before and Not After dates of all the certs: /etc/dirsrv/slapd-CFHT-HAWAII-EDU,nickname='Server-Cert' Not Before: Sat May 18 19:15:24 2019 Not After : Tue May 18 19:15:24 2021 /etc/httpd/alias,nickname='Server-Cert' Not Before: Sat May 18 19:15:34 2019 Not After : Tue May 18 19:15:34 2021 /etc/httpd/alias,nickname='ipaCert' Not Before: Wed Jun 14 06:06:40 2017 Not After : Tue Jun 04 06:06:40 2019 /etc/pki/pki-tomcat/alias,nickname='auditSigningCert cert-pki-ca' Not Before: Wed Jun 14 20:45:05 2017 Not After : Tue Jun 04 20:45:05 2019 /etc/pki/pki-tomcat/alias,nickname='ocspSigningCert cert-pki-ca' Not Before: Sat Jun 01 10:29:31 2019 Not After : Fri May 21 10:29:31 2021 /etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca Not Before: Thu Jun 29 04:28:11 2017 Not After : Wed Jun 19 04:28:11 2019 /etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca Not Before: Wed Jul 22 14:25:13 2015 Not After : Sun Jul 22 14:25:13 2035 /etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca' Not Before: Tue May 07 19:15:22 2019 Not After : Mon Apr 26 19:15:22 2021 From what I can tell setting the date to 2019-06-02 should be fine so I did that and restarted pki-tomcatd (which starts up fine when back dated). When I restart certmonger I'm getting log messages of: Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.572219961 -1000] csngen_new_csn - Warning: too much time skew (-19483202 secs). Current seqnum=1 Jun 3 00:00:24 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.612098416 -1000] csngen_new_csn - Warning: too much time skew (-19483203 secs). Current seqnum=1 Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.628118429 -1000] csngen_new_csn - Warning: too much time skew (-19483204 secs). Current seqnum=1 And getcert list displays the following: ... Request ID '20170614061938': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LOCAL subject: CN=IPA RA,O=LOCAL expires: 2019-06-04 06:06:40 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20170614062601': status: MONITORING ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LOCAL subject: CN=CA Audit,O=LOCAL expires: 2019-06-04 20:45:05 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes ... Request ID '20170614062603': status: MONITORING ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did not provide a valid certificate for this operation stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LOCAL subject: CN=CA Subsystem,O=LOCAL expires: 2019-06-19 04:28:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes ... Thanks for all of your help. Ferdinand _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org