Hi Rob, We are using fedora 17. And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "[email protected]" is active as normal. But these five certs could not renewed as before. (actually I always restart ipa world after I roll back time, this "[email protected]" should be active but I just ignore it before... )
Thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Wednesday, June 01, 2016 10:37 PM To: Kay Zhou Y; [email protected] Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > 1. I have made snapshots for this system for test, so NSS databases has been > backed up. > > 2. For the pki-cad service, I can't find it in my system, it shows there is > no such service. > but there is one service failed as below: > > root@ecnshlx3039-test2(SH):requests #systemctl status > [email protected] [email protected] - PKI Certificate Authority > Server pki-ca > Loaded: loaded (/lib/systemd/system/[email protected]; enabled) > Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 > +0200; 23min ago > Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, > status=1/FAILURE) > Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i > (code=exited, status=0/SUCCESS) > Main PID: 2593 (code=exited, status=0/SUCCESS) > CGroup: name=systemd:/system/[email protected]/pki-ca > > Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 > 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session closed for user pkiuser > > I can't start it normally, even the log just said: > Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: [email protected]: > control process exited, code=exited status=1 Jun 1 06:54:39 > ecnshlx3039-test2 systemd[1]: Unit [email protected] entered failed > state. > > I will google more to try to start it firstly. Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > > 3. About the source of the output for getcert list: > > root@ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root > root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 Jun > 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 > 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 > 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 > 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 > 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 > 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 > 20160601043751 root@ecnshlx3039-test2(SH):requests # > root@ecnshlx3039-test2(SH):requests #grep post_certsave_command * > 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _dirsrv DRUTT-COM > 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _httpd root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command > * root@ecnshlx3039-test2(SH):requests # > > there are just two statements. Ok, that is fine then I think. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
