<div dir="ltr"><div>I've done this. <br>[root@id-management-1 ipa]# date<br>Sun Jan  1 01:12:27 EST 2017<br><br> getcert list give me this as the first entry:<br><br>Request ID '20150116162120':<br>        status: CA_UNREACHABLE<br>        ca-error: Server at <a href="https://id-management-1.internal.emerlyn.com/ipa/xml">https://id-management-1.internal.emerlyn.com/ipa/xml</a> failed request, will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not found).<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM">INTERNAL.EMERLYN.COM</a><br>        subject: CN=<a href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a>,O=<a href="http://INTERNAL.EMERLYN.COM">INTERNAL.EMERLYN.COM</a><br>        expires: 2017-01-16 16:21:20 UTC<br>        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>        track: yes<br>        auto-renew: yes<br><br></div><div>Restarting cermonger multiple times doesn't help. <br><br></div><div>Jeff<br></div><br><div><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff Goddard wrote:<br>
> Flo,<br>
><br>
> I'm not able to access the link you posted. I did find this thread<br>
> though<br>
> <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>><br>
> and have set the time back and resubmitted a request. Still no success.<br>
> Any further hints?<br>
<br>
You need to stop ntpd, go back in time to when the certs are valid and<br>
restart the certmonger service.<br>
<br>
Then use getcert list to monitor things. You really only care about the<br>
CA subsystem certs are this point.<br>
<br>
You may need to restart certmonger more than once to get all the certs<br>
updated (you can manually call getcert resubmit -i <id> if you'd prefer).<br>
<br>
Once that is done return to present day, restart ntpd then ipactl restart.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div></div>
</div></div>