Polavarapu Manideep Sai wrote: > Hi Rob, > > Other servers are fine, not expired > > Please let me know if more details required on this > > [root@dir01 ~]# getcert list | grep -i expire > expires: 2023-11-10 12:17:39 UTC > expires: 2023-11-10 12:18:15 UTC > expires: 2024-01-23 09:06:01 UTC > expires: 2024-01-23 09:06:31 UTC > expires: 2024-01-23 09:06:11 UTC > expires: 2024-01-23 09:06:21 UTC > expires: 2038-04-12 14:15:30 UTC > expires: 2023-10-19 12:17:37 UTC > expires: 2023-11-10 12:18:05 UTC
What about the other certificates on the broken CA machine? Does anything work at all? In particular, replication. If replication is working then you can re-set your renewal master. This will make available most of the missing CA certificates. The tomcat Server-Cert will still be a problem. You can try ipa-cert-fix to correct that once the others are updated. Or you can just drop this replica and re-create it since the rest of the topology is in good shape. That would be a lot less work. Note that IPA 4.5.0 is no longer supported. You need to start looking to upgrade to something far newer. That is going to require a number of step upgrades so it will take some time. rob > > > Regards > Sai > > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: 07 July 2023 22:44 > To: FreeIPA users list <[email protected]>; Florence > Blanc-Renaud <[email protected]> > Cc: Polavarapu Manideep Sai <[email protected]> > Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped > > > CAUTION. This email originated from outside the organization. Please exercise > caution before clicking on links or attachments in case of suspicion or > unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Florence >> >> >> >> I have multiple ipa servers, actually the master server should be a CA >> renewal master, but when I checked now it is not, now CA renewal >> master showing as replica server, the same replica server where I am >> facing this pki-tomcatd service failure issue >> >> >> >> Not sure how it got changed >> >> >> >> [root@sai ~]# ipa config-show | grep 'CA renewal master' >> >> IPA CA renewal master: dires01.ipa.domain.com >> >> >> >> My CA renewal master should be : aaa01.ipa.domain.com >> >> >> >> Please let us know for more details > > What is the condition of certificates on the other servers? Are they also > expired? Using `getcert list` is an easier way to get the expiration times > for all tracked certs. > > rob > >> >> >> >> >> >> Regards >> >> Sai >> >> >> >> >> >> *From:*Florence Blanc-Renaud <[email protected]> >> *Sent:* 07 July 2023 17:22 >> *To:* FreeIPA users list <[email protected]> >> *Cc:* Polavarapu Manideep Sai <[email protected]> >> *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped >> >> >> >> >> >> *CAUTION.*This email originated from outside the organization. Please >> exercise caution before clicking on links or attachments in case of >> suspicion or unknown senders. >> >> >> >> Hi, >> >> >> >> we need more details in order to help you. Do you have a single IPA >> server or multiple servers? Which one is the CA renewal master? >> >> flo >> >> >> >> On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via >> FreeIPA-users <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Team, >> >> >> >> As we checked pki-tomcatd service was stopped, couldn’t possible to >> set the clock back as other certificates will not valid >> >> >> >> PFB details, please let us know if more details required on this >> >> >> >> As you can see Unable to communicate with CMS (404) when performed >> ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 >> >> >> >> Please guide us to proceed further >> >> >> >> >> >> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >> "Server-Cert cert-pki-ca" |grep -i after >> >> Not After : Mon Jan 10 06:35:46 2022 >> >> [root@sai ~]# >> >> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >> "Server-Cert cert-pki-ca" |grep -i before >> >> Not Before: Tue Jan 21 06:35:46 2020 >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >> "Server-Cert cert-pki-ca" |grep -i serial >> >> Serial Number: 80 (0x50) >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> [root@sai ~]# ipa cert-show 80 >> >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (404) >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> [root@sai ~]# # Not possible to reset clock back , because other >> certificates were not valid >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> [root@sai ~]# ipa --version >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> [root@sai ~]# >> >> [root@sai ~]# >> >> >> >> Regards >> >> Sai >> >> >> >> >> ---------------------------------------------------------------------- >> -- >> >> >> DISCLAIMER: The information in this message is confidential and may >> be legally privileged. It is intended solely for the addressee. >> Access to this message by anyone else is unauthorized. If you are >> not the intended recipient, any disclosure, copying, or distribution >> of the message, or any action or omission taken by you in reliance >> on it, is prohibited and may be unlawful. Please immediately contact >> the sender if you have received this message in error. Further, this >> e-mail may contain viruses and all reasonable precaution to minimize >> the risk arising there from is taken by OnMobile. OnMobile is not >> liable for any damage sustained by you as a result of any virus in >> this e-mail. All applicable virus checks should be carried out by >> you before opening this e-mail or any attachment thereto. >> Thank you - OnMobile Global Limited. >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >> >> ---------------------------------------------------------------------- >> -- >> >> DISCLAIMER: The information in this message is confidential and may be >> legally privileged. It is intended solely for the addressee. Access to >> this message by anyone else is unauthorized. If you are not the >> intended recipient, any disclosure, copying, or distribution of the >> message, or any action or omission taken by you in reliance on it, is >> prohibited and may be unlawful. Please immediately contact the sender >> if you have received this message in error. Further, this e-mail may >> contain viruses and all reasonable precaution to minimize the risk >> arising there from is taken by OnMobile. OnMobile is not liable for >> any damage sustained by you as a result of any virus in this e-mail. >> All applicable virus checks should be carried out by you before >> opening this e-mail or any attachment thereto. >> Thank you - OnMobile Global Limited. >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> ahosted.org Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all reasonable > precaution to minimize the risk arising there from is taken by OnMobile. > OnMobile is not liable for any damage sustained by you as a result of any > virus in this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
