<div dir="ltr"><div><div>I think my problem is deeper than that. I was following this guide:<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers">http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers</a> and executed the commands related to having an external CA - which we do not have. I now get this message for the CA:<br><br>Request ID '20170101055025':<br>        status: NEED_KEY_GEN_PIN<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set<br>        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'<br>        CA: dogtag-ipa-ca-renew-agent<br>        issuer:<br>        subject:<br>        expires: unknown<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br><br></div>Is there any way I can recover?<br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff Goddard wrote:<br>
> I've done this.<br>
> [root@id-management-1 ipa]# date<br>
> Sun Jan  1 01:12:27 EST 2017<br>
><br>
>  getcert list give me this as the first entry:<br>
><br>
> Request ID '20150116162120':<br>
>         status: CA_UNREACHABLE<br>
>         ca-error: Server at<br>
> <a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com/ipa/xml</a> failed request,<br>
> will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not<br>
> found).<br>
>         stuck: no<br>
>         key pair storage:<br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
>         certificate:<br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> Certificate DB'<br>
>         CA: IPA<br>
>         issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.<wbr>COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
>         subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.<wbr>emerlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.<wbr>internal.emerlyn.com</a>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERN<wbr>AL.EMERLYN.COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
>         expires: 2017-01-16 16:21:20 UTC<br>
>         key usage:<br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
>         eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
>         pre-save command:<br>
>         post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_httpd<br>
>         track: yes<br>
>         auto-renew: yes<br>
><br>
> Restarting cermonger multiple times doesn't help.<br>
<br>
Sorry, I missed a step. When you go back in time you first need to<br>
restart IPA. The CA isn't up.<br>
<br>
rob<br>
<br>
><br>
> Jeff<br>
><br>
><br>
><br>
><br>
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>
><br>
>     Jeff Goddard wrote:<br>
>     > Flo,<br>
>     ><br>
>     > I'm not able to access the link you posted. I did find this thread<br>
>     > though<br>
>     ><br>
>     <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>><br>
>     ><br>
>     <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
>     <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>>><br>
>     > and have set the time back and resubmitted a request. Still no<br>
>     success.<br>
>     > Any further hints?<br>
><br>
>     You need to stop ntpd, go back in time to when the certs are valid and<br>
>     restart the certmonger service.<br>
><br>
>     Then use getcert list to monitor things. You really only care about the<br>
>     CA subsystem certs are this point.<br>
><br>
>     You may need to restart certmonger more than once to get all the certs<br>
>     updated (you can manually call getcert resubmit -i <id> if you'd<br>
>     prefer).<br>
><br>
>     Once that is done return to present day, restart ntpd then ipactl<br>
>     restart.<br>
><br>
>     rob<br>
><br>
><br>
><br>
<span class="HOEnZb"><font color="#888888">><br>
> --<br>
><br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><br></div></div>
</div></div>