Hi,

we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master?
flo

On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi Team,

 

As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid

 

PFB details, please let us know if more details required on this

 

As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0

 

Please guide us to proceed further

 

 

[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after

            Not After : Mon Jan 10 06:35:46 2022

[root@sai ~]#

[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before

            Not Before: Tue Jan 21 06:35:46 2020

[root@sai ~]#

[root@sai ~]#

[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial

        Serial Number: 80 (0x50)

[root@sai ~]#

[root@sai ~]#

[root@sai ~]# ipa cert-show 80

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

[root@sai ~]#

[root@sai ~]#

[root@sai ~]# # Not possible to reset clock back , because other certificates were not valid

[root@sai ~]#

[root@sai ~]#

[root@sai ~]#

[root@sai ~]# ipa --version

VERSION: 4.5.0, API_VERSION: 2.228

[root@sai ~]#

[root@sai ~]#

 

Regards

Sai




DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue