Hi, can you provide more information on your deployment? Do you have a single IPA server that is providing the CA service or many servers? In the latter case, which one is the CA renewal master? Are there other expired certificates?
# kinit admin # ipa config-show # getcert list flo On Mon, Jun 19, 2023 at 7:25 PM T A via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start > ipactl status > pki-tomcatd Service: STOPPED > > Ran 'getcert list' and found the 'pki-tomcat' cert was expired > > Rolled back the system clock to before the cert expired, now starts up > ipactl status > pki-tomcatd Service: STARTED > > Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows > "status: CA_UNREACHABLE" > 'ipa-cert fix' didnt work either > > Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was > giving out this error when it tried to renew 'csngen_adjust_local_time - > Adjustment limit exceeded: value - 435060 limit - 86400' > > Any way to change the adjustment limit or force this cert to renew anyway? > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
