Omar Pagan via FreeIPA-users wrote: > Hello guys, > The team was trying some new things and we got some errors we would like to > share: > ERR - _csngen_adjust_local_time - Adjustment limit exceeded; value - ####, > limit - #### (I'm not sure if you care to see the actual numbers) > > ERR - ldbm_back_modify - failed to generate modify CSN for entry > (cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca), aborting operation > > After some google searches we found the following links, but want to validate > with you guys the steps are what we need. Here are some of those links we > have found: > > We have perform the following steps following this link: > https://lists.fedoraproject.org/archives/list/[email protected]/thread/QRQMHFTUB72B6OQJSKYSAQJTQVCZVNLG/ > > The steps are (for the case where your certs are still valid): > > 1. Stop certmonger > 2. grep dogtag-ipa-ca-renew-agent /var/lib/certmonger/cas/* > 3. There should be two. You want the one with "id=dogtag-ipa-ca-renew-agent" > 4. Modify that file and add -N to ca_external_helper. It needs to look like: > > ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N
Yes. > > > We have also found the following link, but not perform the suggested steps. > > https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html > > Since the only way to get the service back is to set the local time and date > back to a time before the certs expired, do you know of any way to resolve > the clock skew problem with the directory service? Other than what is > suggested in the link above? I'd worry about the certificates first. Worst case is you re-initialize the other replicas from the data on the renewal master. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
