<div dir="ltr"><div><div>I think my problem is deeper than that. I was following this guide:<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers">http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers</a> and executed the commands related to having an external CA - which we do not have. I now get this message for the CA:<br><br>Request ID '20170101055025':<br> status: NEED_KEY_GEN_PIN<br> stuck: yes<br> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set<br> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'<br> CA: dogtag-ipa-ca-renew-agent<br> issuer:<br> subject:<br> expires: unknown<br> pre-save command:<br> post-save command:<br> track: yes<br> auto-renew: yes<br><br></div>Is there any way I can recover?<br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff Goddard wrote:<br>
> I've done this.<br>
> [root@id-management-1 ipa]# date<br>
> Sun Jan 1 01:12:27 EST 2017<br>
><br>
> getcert list give me this as the first entry:<br>
><br>
> Request ID '20150116162120':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Server at<br>
> <a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com/ipa/xml</a> failed request,<br>
> will retry: 4001 (RPC failed at server. ipa: Certificate Authority not<br>
> found).<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.<wbr>COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.<wbr>emerlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.<wbr>internal.emerlyn.com</a>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERN<wbr>AL.EMERLYN.COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> expires: 2017-01-16 16:21:20 UTC<br>
> key usage:<br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
> pre-save command:<br>
> post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_httpd<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
> Restarting cermonger multiple times doesn't help.<br>
<br>
Sorry, I missed a step. When you go back in time you first need to<br>
restart IPA. The CA isn't up.<br>
<br>
rob<br>
<br>
><br>
> Jeff<br>
><br>
><br>
><br>
><br>
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Jeff Goddard wrote:<br>
> > Flo,<br>
> ><br>
> > I'm not able to access the link you posted. I did find this thread<br>
> > though<br>
> ><br>
> <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>><br>
> ><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>>><br>
> > and have set the time back and resubmitted a request. Still no<br>
> success.<br>
> > Any further hints?<br>
><br>
> You need to stop ntpd, go back in time to when the certs are valid and<br>
> restart the certmonger service.<br>
><br>
> Then use getcert list to monitor things. You really only care about the<br>
> CA subsystem certs are this point.<br>
><br>
> You may need to restart certmonger more than once to get all the certs<br>
> updated (you can manually call getcert resubmit -i <id> if you'd<br>
> prefer).<br>
><br>
> Once that is done return to present day, restart ntpd then ipactl<br>
> restart.<br>
><br>
> rob<br>
><br>
><br>
><br>
<span class="HOEnZb"><font color="#888888">><br>
> --<br>
><br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><br></div></div>
</div></div>