On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote:
Hi,
you need to carefully pick the date in the past. At that given date, all
your certs must be valid (ie notbefore < date < notafter). It's likely
that you choose a date before the notbefore date of some of the certs.
flo
Hi flo,
Still working on this and I'm unsure exactly what to do next. Here are the Not Before
and Not After dates of all the certs:
/etc/dirsrv/slapd-CFHT-HAWAII-EDU,nickname='Server-Cert'
Not Before: Sat May 18 19:15:24 2019
Not After : Tue May 18 19:15:24 2021
/etc/httpd/alias,nickname='Server-Cert'
Not Before: Sat May 18 19:15:34 2019
Not After : Tue May 18 19:15:34 2021
/etc/httpd/alias,nickname='ipaCert'
Not Before: Wed Jun 14 06:06:40 2017
Not After : Tue Jun 04 06:06:40 2019
/etc/pki/pki-tomcat/alias,nickname='auditSigningCert cert-pki-ca'
Not Before: Wed Jun 14 20:45:05 2017
Not After : Tue Jun 04 20:45:05 2019
/etc/pki/pki-tomcat/alias,nickname='ocspSigningCert cert-pki-ca'
Not Before: Sat Jun 01 10:29:31 2019
Not After : Fri May 21 10:29:31 2021
/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca
Not Before: Thu Jun 29 04:28:11 2017
Not After : Wed Jun 19 04:28:11 2019
/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca
Not Before: Wed Jul 22 14:25:13 2015
Not After : Sun Jul 22 14:25:13 2035
/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca'
Not Before: Tue May 07 19:15:22 2019
Not After : Mon Apr 26 19:15:22 2021
From what I can tell setting the date to 2019-06-02 should be fine so I did that and
restarted pki-tomcatd (which starts up fine when back dated).
When I restart certmonger I'm getting log messages of:
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.572219961 -1000] csngen_new_csn
- Warning: too much time skew (-19483202 secs). Current seqnum=1
Jun 3 00:00:24 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Ticket not yet valid)
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.612098416 -1000] csngen_new_csn
- Warning: too much time skew (-19483203 secs). Current seqnum=1
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.628118429 -1000] csngen_new_csn
- Warning: too much time skew (-19483204 secs). Current seqnum=1
And getcert list displays the following:
...
Request ID '20170614061938':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=IPA RA,O=LOCAL
expires: 2019-06-04 06:06:40 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170614062601':
status: MONITORING
ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess"
replied: 1: You did not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Audit,O=LOCAL
expires: 2019-06-04 20:45:05 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
...
Request ID '20170614062603':
status: MONITORING
ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess"
replied: 1: You did not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Subsystem,O=LOCAL
expires: 2019-06-19 04:28:11 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
...
Thanks for all of your help.
Ferdinand