Sina Owolabi wrote:
Hi Rob
Ive been to the URL but its a little difficult applying these commands
to RHEL6 systems.
For instance there is no /etc/pki-tomcat directory in RHEL6, and I
cannot find the ipa.crt
Im sure as a noob I am overlooking some very obvious stuff, but could
you please guide me on what to do?
Sorry, I think I pointed you at the wrong page. Check out
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
Your CA subsystem are expired, or nearly expired. They are valid for two
years. Based on the request ID in the snippet you posted at least some
are valid for another few days.
What I'd suggest is to send the machine back in time and restart the
services. This should bring things up so that certmonger can do the renewal:
# ipactl stop
# /sbin/service ntpd stop
# date 0501hhm where hhmm are the current hour and minute
# ipactl start
Hopefully ntpd isn't started by ipactl. If it is then it will undo your
going back in time, and you'll need to start the services manually:
# service dirsrv@YOURREALM start
# service krb5kdc
# service httpd start
# service pki-tomcatd start
Restart certmonger
# service certmonger restart
Wait a bit
# getcert list
Watch the status. They should go to MODIFIED
Once done:
# ipactl stop
Return date to present, either by restarting ntpd or date or whatever
method you'd like.
I'm taking a completely wild guess on the date to go back to. The
expiration date is listed in the getcert output. I'd go back a week
before the oldest expiration.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
