[Freeipa-users] pki-tomcatd fails to start

Jeff Goddard jgoddard at emerlyn.com
Fri Jan 6 20:27:40 UTC 2017 

I've done this.
[root at id-management-1 ipa]# date
Sun Jan  1 01:12:27 EST 2017

 getcert list give me this as the first entry:

Request ID '20150116162120':
        status: CA_UNREACHABLE
        ca-error: Server at
https://id-management-1.internal.emerlyn.com/ipa/xml failed request, will
retry: 4001 (RPC failed at server.  ipa: Certificate Authority not found).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
        expires: 2017-01-16 16:21:20 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

Restarting cermonger multiple times doesn't help.

Jeff




On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Jeff Goddard wrote:
> > Flo,
> >
> > I'm not able to access the link you posted. I did find this thread
> > though
> > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> > <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
> > and have set the time back and resubmitted a request. Still no success.
> > Any further hints?
>
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
>
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
>
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i <id> if you'd prefer).
>
> Once that is done return to present day, restart ntpd then ipactl restart.
>
> rob
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/8550f68e/attachment.htm>

More information about the Freeipa-users mailing list