Hi Rob,
Other servers are fine, not expired
Please let me know if more details required on this
[root@dir01 ~]# getcert list | grep -i expire
expires: 2023-11-10 12:17:39 UTC
expires: 2023-11-10 12:18:15 UTC
expires: 2024-01-23 09:06:01 UTC
expires: 2024-01-23 09:06:31 UTC
expires: 2024-01-23 09:06:11 UTC
expires: 2024-01-23 09:06:21 UTC
expires: 2038-04-12 14:15:30 UTC
expires: 2023-10-19 12:17:37 UTC
expires: 2023-11-10 12:18:05 UTC
Regards
Sai
-----Original Message-----
From: Rob Crittenden <[email protected]>
Sent: 07 July 2023 22:44
To: FreeIPA users list <[email protected]>; Florence
Blanc-Renaud <[email protected]>
Cc: Polavarapu Manideep Sai <[email protected]>
Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped
CAUTION. This email originated from outside the organization. Please exercise
caution before clicking on links or attachments in case of suspicion or unknown
senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Florence
>
>
>
> I have multiple ipa servers, actually the master server should be a CA
> renewal master, but when I checked now it is not, now CA renewal
> master showing as replica server, the same replica server where I am
> facing this pki-tomcatd service failure issue
>
>
>
> Not sure how it got changed
>
>
>
> [root@sai ~]# ipa config-show | grep 'CA renewal master'
>
> IPA CA renewal master: dires01.ipa.domain.com
>
>
>
> My CA renewal master should be : aaa01.ipa.domain.com
>
>
>
> Please let us know for more details
What is the condition of certificates on the other servers? Are they also
expired? Using `getcert list` is an easier way to get the expiration times for
all tracked certs.
rob
>
>
>
>
>
> Regards
>
> Sai
>
>
>
>
>
> *From:*Florence Blanc-Renaud <[email protected]>
> *Sent:* 07 July 2023 17:22
> *To:* FreeIPA users list <[email protected]>
> *Cc:* Polavarapu Manideep Sai <[email protected]>
> *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
>
>
>
>
>
> *CAUTION.*This email originated from outside the organization. Please
> exercise caution before clicking on links or attachments in case of
> suspicion or unknown senders.
>
>
>
> Hi,
>
>
>
> we need more details in order to help you. Do you have a single IPA
> server or multiple servers? Which one is the CA renewal master?
>
> flo
>
>
>
> On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via
> FreeIPA-users <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Team,
>
>
>
> As we checked pki-tomcatd service was stopped, couldn’t possible to
> set the clock back as other certificates will not valid
>
>
>
> PFB details, please let us know if more details required on this
>
>
>
> As you can see Unable to communicate with CMS (404) when performed
> ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
>
>
>
> Please guide us to proceed further
>
>
>
>
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i after
>
> Not After : Mon Jan 10 06:35:46 2022
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i before
>
> Not Before: Tue Jan 21 06:35:46 2020
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i serial
>
> Serial Number: 80 (0x50)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa cert-show 80
>
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (404)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# # Not possible to reset clock back , because other
> certificates were not valid
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa --version
>
> VERSION: 4.5.0, API_VERSION: 2.228
>
> [root@sai ~]#
>
> [root@sai ~]#
>
>
>
> Regards
>
> Sai
>
>
>
>
> ----------------------------------------------------------------------
> --
>
>
> DISCLAIMER: The information in this message is confidential and may
> be legally privileged. It is intended solely for the addressee.
> Access to this message by anyone else is unauthorized. If you are
> not the intended recipient, any disclosure, copying, or distribution
> of the message, or any action or omission taken by you in reliance
> on it, is prohibited and may be unlawful. Please immediately contact
> the sender if you have received this message in error. Further, this
> e-mail may contain viruses and all reasonable precaution to minimize
> the risk arising there from is taken by OnMobile. OnMobile is not
> liable for any damage sustained by you as a result of any virus in
> this e-mail. All applicable virus checks should be carried out by
> you before opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
> ----------------------------------------------------------------------
> --
>
> DISCLAIMER: The information in this message is confidential and may be
> legally privileged. It is intended solely for the addressee. Access to
> this message by anyone else is unauthorized. If you are not the
> intended recipient, any disclosure, copying, or distribution of the
> message, or any action or omission taken by you in reliance on it, is
> prohibited and may be unlawful. Please immediately contact the sender
> if you have received this message in error. Further, this e-mail may
> contain viruses and all reasonable precaution to minimize the risk
> arising there from is taken by OnMobile. OnMobile is not liable for
> any damage sustained by you as a result of any virus in this e-mail.
> All applicable virus checks should be carried out by you before
> opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> ahosted.org Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
________________________________
DISCLAIMER: The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, or distribution of the message, or any action or omission
taken by you in reliance on it, is prohibited and may be unlawful. Please
immediately contact the sender if you have received this message in error.
Further, this e-mail may contain viruses and all reasonable precaution to
minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail.
All applicable virus checks should be carried out by you before opening this
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
