On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote: > Michael Gusek via FreeIPA-users wrote: > > Hi Fraser, > > > > at the moment, i can't provide this logfile, i've moved that back to > > have only new log lines. But a new new logfile is not created ??? In my > > old logfile i have some lines after switch to basic auth, but before > > setting time to past: > > > > The CA won't start with expired certs. > > I'd set the time back to the past and ensure that the CA comes up. The > debug log in that case should tell you what is going on. Be sure that > ntpd is stopped. > > Restarting certmonger should be sufficient to have it try renewal as it > will see on startup that the certs need to be refreshed. > > rob > Further, have a look at `getcert list` output, or `certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>`, to inspect the Dogtag system certificates to work out their expiry dates.
Ensure that you restart IPA (`ipactl restart`) after setting the clock back, so that services can reinitialise with certs that are valid according to system time. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org