Juan Pablo Lorier via FreeIPA-users wrote: > Hi, > > I have a production server that was not maintained and I see that the HTTP > certificate has expired long ago. I tried to renew it but I'm not being agle > to get it right. > > The initial status was: > > Request ID '20191219011208': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > > Then following this thread > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ > > I got it to this state: > > Request ID '20191219011208': > status: MONITORING > ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will > retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed > even to execute the HTTP transaction, explaining: SSL certificate problem: > certificate has expired). > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > > The post indicates that I have to put an old date in the server to get it > renewed, but as the server is in production, it means that all clients will > fail to log to the server. Evenmore, what time should I return to, before the > certificate expiration or right after? > Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you. Depending on that outcome affect the suggested remediation. As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
