Ian Stokes-Rees wrote:
  Some more info:

1. certmonger wasn't running, so I started it. Then I can execute
"ipa-getcert list" but it doesn't return anything.

Ok, your install must have pre-dated our implementation of it.

2. /var/log/ipa/default.log (the only log file in that dir) appears to
show the *new* cert being imported successfully (the latest timestamps
are from about 1000 seconds ago, or less than 20 minutes):

As one might expect the Apache cert has also expired. Apache needs a valid cert and needs to contact 389-ds to start IPA.

3. dirsrv errors has this as its last log entries:

It doesn't seem to like the self-signed cert you installed.

The key used to initially generate the 389-ds certificate should still be in your NSS database, certutil -K -d /etc/dirsrv/slapd-REALM should have it. We should be able to use that to get things working again.

I think the fastest way to get back up would be to set your system clock back to Jan 15. Disable security in 389-ds and start that, then restart Apache. This should be enough to get part of your infrastructure back up and running long enough to renew the certs.

Once you renew the 389-ds certificate and get that working you can do pretty much the same thing to Apache. The Apache NSS database is in /etc/httpd/alias. You won't need to disable security for this at all.

Otherwise we may have to set up a sort of temporary CA, issue new certificates for Apache and 389-ds to get them back up and running, then renew things.

If you try going back in time don't forget to reset the date. You'll have to stop ntpd when going back in time.


Freeipa-users mailing list

Reply via email to