Jeff Goddard wrote:
> I've done this.
> [root@id-management-1 ipa]# date
> Sun Jan 1 01:12:27 EST 2017
> getcert list give me this as the first entry:
> Request ID '20150116162120':
> status: CA_UNREACHABLE
> ca-error: Server at
> https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> will retry: 4001 (RPC failed at server. ipa: Certificate Authority not
> stuck: no
> key pair storage:
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> subject: CN=id-management-1.internal.emerlyn.com
> expires: 2017-01-16 16:21:20 UTC
> key usage:
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Restarting cermonger multiple times doesn't help.
Sorry, I missed a step. When you go back in time you first need to
restart IPA. The CA isn't up.
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> Jeff Goddard wrote:
> > Flo,
> > I'm not able to access the link you posted. I did find this thread
> > though
> > and have set the time back and resubmitted a request. Still no
> > Any further hints?
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i <id> if you'd
> Once that is done return to present day, restart ntpd then ipactl
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project