Manuel Gujo via FreeIPA-users wrote: > Hi, > > I've retried to move date three weeks before 2020-12-08 and renew cert > manually > > # ipa-getcert resubmit -i "ID" > Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent". > > Here's one of the output log from journalctl -xe > > # journalctl -xe > nov 17 18:08:27 ipa1.itec.lab certmonger[27108]: 2020-11-17 18:08:27 [27108] > Internal error > nov 17 18:08:29 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[28053]: > Traceback (most recent call last): > File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in > <module> > > sys.exit(main()) > File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 507, in main > > kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) > File > "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in > kinit_keytab > > cred = gssapi.Credentials(name=name, store=store, usage='initiate') > File > "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ > > store=store) > File > "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire > > usage) > File > "ext_cred_store.pyx", line 182, in > gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred > > GSSError: Major (851968): Unspecified GSS failure. Minor code may provide > more information, Minor (252963 > > now all the certs (except from kerberos and CA ones) are status: > CA_UNREACHABLE. > > CA cert is status: NEED_CSR_GEN_PIN
When you are moving back in time are you bringing the IPA services back up? You need to do this manually if you have an NTP server enabled (which it is by default). Minimum you need to restart, in order, dirsrv.target, krb5kdc, named, httpd, pki-tomcatd. If you restart certmonger it may kick off the renewals for you (or it might not). If you can get the services running back in time then runipa config-show to determine whether this server is configured as the CA renewal server. Only one in the cluster will have this role and the renewals need to take place on that server. If this one isn't it and none of the others report it then you can run: ipa config-mod --ca-renewal-master-server=<fqdn> As Flo said the NEED_CSR_GEN_PIN is from your using ipa-cacert-manage. It doesn't affect anything in the short term. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
