Hi Adam,
With the change to ldap instead of ldaps on the CA master that you
suggested I was able to move the system clock to before the certificate
expiry time then do
ipactl start --ignore-service-failures
systemctl start pki-tomcat@pki-tomcat.service
then start the pki ca service manually
Hello,
we hit similar issue (although due to different conditions - we rotated
root CA cert and then newly issued certificates were wrongly signed), we
were also unable to start tomcat. If I remember correctly, we switched dogtag
to use simple binds instead of TLS to connect to LDAP this way.
1.
Hi,
The pki-tomcatd services on our IPA servers seem to have stopped working.
This seems to be related to the expiry of several certificates -
[root@ipa001 ~]# getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20161230150048':
status: MONITORING
