Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Florence > > > > I have multiple ipa servers, actually the master server should be a CA > renewal master, but when I checked now it is not, now CA renewal master > showing as replica server, the same replica server where I am facing > this pki-tomcatd service failure issue > > > > Not sure how it got changed > > > > [root@sai ~]# ipa config-show | grep 'CA renewal master' > > IPA CA renewal master: dires01.ipa.domain.com > > > > My CA renewal master should be : aaa01.ipa.domain.com > > > > Please let us know for more details
What is the condition of certificates on the other servers? Are they also expired? Using `getcert list` is an easier way to get the expiration times for all tracked certs. rob > > > > > > Regards > > Sai > > > > > > *From:*Florence Blanc-Renaud <f...@redhat.com> > *Sent:* 07 July 2023 17:22 > *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org> > *Cc:* Polavarapu Manideep Sai <manideep....@onmobile.com> > *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped > > > > > > *CAUTION.*This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > Hi, > > > > we need more details in order to help you. Do you have a single IPA > server or multiple servers? Which one is the CA renewal master? > > flo > > > > On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via > FreeIPA-users <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hi Team, > > > > As we checked pki-tomcatd service was stopped, couldn’t possible to > set the clock back as other certificates will not valid > > > > PFB details, please let us know if more details required on this > > > > As you can see Unable to communicate with CMS (404) when performed > ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 > > > > Please guide us to proceed further > > > > > > [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n > "Server-Cert cert-pki-ca" |grep -i after > > Not After : Mon Jan 10 06:35:46 2022 > > [root@sai ~]# > > [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n > "Server-Cert cert-pki-ca" |grep -i before > > Not Before: Tue Jan 21 06:35:46 2020 > > [root@sai ~]# > > [root@sai ~]# > > [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n > "Server-Cert cert-pki-ca" |grep -i serial > > Serial Number: 80 (0x50) > > [root@sai ~]# > > [root@sai ~]# > > [root@sai ~]# ipa cert-show 80 > > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (404) > > [root@sai ~]# > > [root@sai ~]# > > [root@sai ~]# # Not possible to reset clock back , because other > certificates were not valid > > [root@sai ~]# > > [root@sai ~]# > > [root@sai ~]# > > [root@sai ~]# ipa --version > > VERSION: 4.5.0, API_VERSION: 2.228 > > [root@sai ~]# > > [root@sai ~]# > > > > Regards > > Sai > > > > ------------------------------------------------------------------------ > > > DISCLAIMER: The information in this message is confidential and may > be legally privileged. It is intended solely for the addressee. > Access to this message by anyone else is unauthorized. If you are > not the intended recipient, any disclosure, copying, or distribution > of the message, or any action or omission taken by you in reliance > on it, is prohibited and may be unlawful. Please immediately contact > the sender if you have received this message in error. Further, this > e-mail may contain viruses and all reasonable precaution to minimize > the risk arising there from is taken by OnMobile. OnMobile is not > liable for any damage sustained by you as a result of any virus in > this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > ------------------------------------------------------------------------ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to > this message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or > any action or omission taken by you in reliance on it, is prohibited and > may be unlawful. Please immediately contact the sender if you have > received this message in error. Further, this e-mail may contain viruses > and all reasonable precaution to minimize the risk arising there from is > taken by OnMobile. OnMobile is not liable for any damage sustained by > you as a result of any virus in this e-mail. All applicable virus checks > should be carried out by you before opening this e-mail or any > attachment thereto. > Thank you - OnMobile Global Limited. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue