Hi Team,
As we checked pki-tomcatd service was stopped, couldn't possible to set the clock back as other certificates will not valid
PFB details, please let us know if more details required on this
As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
Please guide us to proceed further
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]#
Regards Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Hi,
we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master? flo
On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Team,
As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid
PFB details, please let us know if more details required on this
As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
Please guide us to proceed further
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after
Not After : Mon Jan 10 06:35:46 2022
[root@sai ~]#
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before
Not Before: Tue Jan 21 06:35:46 2020
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial
Serial Number: 80 (0x50)
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# ipa cert-show 80
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# # Not possible to reset clock back , because other certificates were not valid
[root@sai ~]#
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@sai ~]#
[root@sai ~]#
Regards
Sai
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Florence
I have multiple ipa servers, actually the master server should be a CA renewal master, but when I checked now it is not, now CA renewal master showing as replica server, the same replica server where I am facing this pki-tomcatd service failure issue
Not sure how it got changed
[root@sai ~]# ipa config-show | grep 'CA renewal master' IPA CA renewal master: dires01.ipa.domain.com
My CA renewal master should be : aaa01.ipa.domain.com
Please let us know for more details
Regards Sai
From: Florence Blanc-Renaud flo@redhat.com Sent: 07 July 2023 17:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] pki-tomcatd service stopped
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master? flo
On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: Hi Team,
As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid
PFB details, please let us know if more details required on this
As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
Please guide us to proceed further
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]#
Regards Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Florence
I have multiple ipa servers, actually the master server should be a CA renewal master, but when I checked now it is not, now CA renewal master showing as replica server, the same replica server where I am facing this pki-tomcatd service failure issue
Not sure how it got changed
[root@sai ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: dires01.ipa.domain.com
My CA renewal master should be : aaa01.ipa.domain.com
Please let us know for more details
What is the condition of certificates on the other servers? Are they also expired? Using `getcert list` is an easier way to get the expiration times for all tracked certs.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 17:22 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master?
flo
On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Team, As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid PFB details, please let us know if more details required on this As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 Please guide us to proceed further [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]# Regards Sai ------------------------------------------------------------------------ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Rob,
Other servers are fine, not expired
Please let me know if more details required on this
[root@dir01 ~]# getcert list | grep -i expire expires: 2023-11-10 12:17:39 UTC expires: 2023-11-10 12:18:15 UTC expires: 2024-01-23 09:06:01 UTC expires: 2024-01-23 09:06:31 UTC expires: 2024-01-23 09:06:11 UTC expires: 2024-01-23 09:06:21 UTC expires: 2038-04-12 14:15:30 UTC expires: 2023-10-19 12:17:37 UTC expires: 2023-11-10 12:18:05 UTC
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 22:44 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Florence
I have multiple ipa servers, actually the master server should be a CA renewal master, but when I checked now it is not, now CA renewal master showing as replica server, the same replica server where I am facing this pki-tomcatd service failure issue
Not sure how it got changed
[root@sai ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: dires01.ipa.domain.com
My CA renewal master should be : aaa01.ipa.domain.com
Please let us know for more details
What is the condition of certificates on the other servers? Are they also expired? Using `getcert list` is an easier way to get the expiration times for all tracked certs.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 17:22 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master?
flo
On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Team, As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid PFB details, please let us know if more details required on this As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 Please guide us to proceed further [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]# Regards Sai
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai wrote:
Hi Rob,
Other servers are fine, not expired
Please let me know if more details required on this
[root@dir01 ~]# getcert list | grep -i expire expires: 2023-11-10 12:17:39 UTC expires: 2023-11-10 12:18:15 UTC expires: 2024-01-23 09:06:01 UTC expires: 2024-01-23 09:06:31 UTC expires: 2024-01-23 09:06:11 UTC expires: 2024-01-23 09:06:21 UTC expires: 2038-04-12 14:15:30 UTC expires: 2023-10-19 12:17:37 UTC expires: 2023-11-10 12:18:05 UTC
What about the other certificates on the broken CA machine? Does anything work at all? In particular, replication.
If replication is working then you can re-set your renewal master. This will make available most of the missing CA certificates. The tomcat Server-Cert will still be a problem. You can try ipa-cert-fix to correct that once the others are updated.
Or you can just drop this replica and re-create it since the rest of the topology is in good shape. That would be a lot less work.
Note that IPA 4.5.0 is no longer supported. You need to start looking to upgrade to something far newer. That is going to require a number of step upgrades so it will take some time.
rob
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 22:44 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Florence
I have multiple ipa servers, actually the master server should be a CA renewal master, but when I checked now it is not, now CA renewal master showing as replica server, the same replica server where I am facing this pki-tomcatd service failure issue
Not sure how it got changed
[root@sai ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: dires01.ipa.domain.com
My CA renewal master should be : aaa01.ipa.domain.com
Please let us know for more details
What is the condition of certificates on the other servers? Are they also expired? Using `getcert list` is an easier way to get the expiration times for all tracked certs.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 17:22 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master?
flo
On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Team, As we checked pki-tomcatd service was stopped, couldn’t possible to set the clock back as other certificates will not valid PFB details, please let us know if more details required on this As you can see Unable to communicate with CMS (404) when performed ipa cert-show for the serial no , ipa version is VERSION: 4.5.0 Please guide us to proceed further [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i after Not After : Mon Jan 10 06:35:46 2022 [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i before Not Before: Tue Jan 21 06:35:46 2020 [root@sai ~]# [root@sai ~]# [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" |grep -i serial Serial Number: 80 (0x50) [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa cert-show 80 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404) [root@sai ~]# [root@sai ~]# [root@sai ~]# # Not possible to reset clock back , because other certificates were not valid [root@sai ~]# [root@sai ~]# [root@sai ~]# [root@sai ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@sai ~]# [root@sai ~]# Regards Sai
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
freeipa-users@lists.fedorahosted.org