Jeff Goddard wrote: > I've done this. > [root@id-management-1 ipa]# date > Sun Jan 1 01:12:27 EST 2017 > > getcert list give me this as the first entry: > > Request ID '20150116162120': > status: CA_UNREACHABLE > ca-error: Server at > https://id-management-1.internal.emerlyn.com/ipa/xml failed request, > will retry: 4001 (RPC failed at server. ipa: Certificate Authority not > found). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM > <http://INTERNAL.EMERLYN.COM> > subject: CN=id-management-1.internal.emerlyn.com > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM > <http://INTERNAL.EMERLYN.COM> > expires: 2017-01-16 16:21:20 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > Restarting cermonger multiple times doesn't help.
Sorry, I missed a step. When you go back in time you first need to restart IPA. The CA isn't up. rob > > Jeff > > > > > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Jeff Goddard wrote: > > Flo, > > > > I'm not able to access the link you posted. I did find this thread > > though > > > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html > <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html> > > > <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html > <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>> > > and have set the time back and resubmitted a request. Still no > success. > > Any further hints? > > You need to stop ntpd, go back in time to when the certs are valid and > restart the certmonger service. > > Then use getcert list to monitor things. You really only care about the > CA subsystem certs are this point. > > You may need to restart certmonger more than once to get all the certs > updated (you can manually call getcert resubmit -i <id> if you'd > prefer). > > Once that is done return to present day, restart ntpd then ipactl > restart. > > rob > > > > > -- > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
