Sina Owolabi wrote:
Hi Rob

Ive been to the URL but its a little difficult applying these commands
to RHEL6 systems.
For instance there is no /etc/pki-tomcat directory in RHEL6, and I
cannot find the ipa.crt

Im sure as a noob I am overlooking some very obvious stuff, but could
you please guide me on what to do?

Sorry, I think I pointed you at the wrong page. Check out

Your CA subsystem are expired, or nearly expired. They are valid for two years. Based on the request ID in the snippet you posted at least some are valid for another few days.

What I'd suggest is to send the machine back in time and restart the services. This should bring things up so that certmonger can do the renewal:

# ipactl stop
# /sbin/service ntpd stop
# date 0501hhm where hhmm are the current hour and minute
# ipactl start

Hopefully ntpd isn't started by ipactl. If it is then it will undo your going back in time, and you'll need to start the services manually:

# service dirsrv@YOURREALM start
# service krb5kdc
# service httpd start
# service pki-tomcatd start

Restart certmonger

# service certmonger restart

Wait a bit

# getcert list

Watch the status. They should go to MODIFIED

Once done:

# ipactl stop

Return date to present, either by restarting ntpd or date or whatever method you'd like.

I'm taking a completely wild guess on the date to go back to. The expiration date is listed in the getcert output. I'd go back a week before the oldest expiration.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to