Hi Florence I have multiple ipa servers, actually the master server should be a CA renewal master, but when I checked now it is not, now CA renewal master showing as replica server, the same replica server where I am facing this pki-tomcatd service failure issue
Not sure how it got changed [root@sai ~]# ipa config-show | grep 'CA renewal master' IPA CA renewal master: dires01.ipa.domain.com My CA renewal master should be : aaa01.ipa.domain.com Please let us know for more details Regards Sai From: Florence Blanc-Renaud <[email protected]> Sent: 07 July 2023 17:22 To: FreeIPA users list <[email protected]> Cc: Polavarapu Manideep Sai <[email protected]> Subject: Re: [Freeipa-users] pki-tomcatd service stopped CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Hi, we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master? flo On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: Hi Team, As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid PFB details, please let us know if more details required on this As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 Please guide us to proceed further [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]# Regards Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
