I think my problem is deeper than that. I was following this guide:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
and executed the commands related to having an external CA - which we do
not have. I now get this message for the CA:

Request ID '20170101055025':
        status: NEED_KEY_GEN_PIN
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
        CA: dogtag-ipa-ca-renew-agent
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Is there any way I can recover?

Jeff

On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Jeff Goddard wrote:
> > I've done this.
> > [root@id-management-1 ipa]# date
> > Sun Jan  1 01:12:27 EST 2017
> >
> >  getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> >         status: CA_UNREACHABLE
> >         ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> > found).
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >         certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >         CA: IPA
> >         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> > <http://INTERNAL.EMERLYN.COM>
> >         subject: CN=id-management-1.internal.emerlyn.com
> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
> > <http://INTERNAL.EMERLYN.COM>
> >         expires: 2017-01-16 16:21:20 UTC
> >         key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> >         track: yes
> >         auto-renew: yes
> >
> > Restarting cermonger multiple times doesn't help.
>
> Sorry, I missed a step. When you go back in time you first need to
> restart IPA. The CA isn't up.
>
> rob
>
> >
> > Jeff
> >
> >
> >
> >
> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Jeff Goddard wrote:
> >     > Flo,
> >     >
> >     > I'm not able to access the link you posted. I did find this thread
> >     > though
> >     >
> >     https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>
> >     >
> >     <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> >     <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>>
> >     > and have set the time back and resubmitted a request. Still no
> >     success.
> >     > Any further hints?
> >
> >     You need to stop ntpd, go back in time to when the certs are valid
> and
> >     restart the certmonger service.
> >
> >     Then use getcert list to monitor things. You really only care about
> the
> >     CA subsystem certs are this point.
> >
> >     You may need to restart certmonger more than once to get all the
> certs
> >     updated (you can manually call getcert resubmit -i <id> if you'd
> >     prefer).
> >
> >     Once that is done return to present day, restart ntpd then ipactl
> >     restart.
> >
> >     rob
> >
> >
> >
> >
> > --
> >
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to