Manuel Gujo via FreeIPA-users wrote:
Hi,
I've retried to move date three weeks before 2020-12-08 and renew cert manually
# ipa-getcert resubmit -i "ID"
Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent".
Here's one of the output log from journalctl -xe
# journalctl -xe
nov 17 18:08:27 ipa1.itec.lab certmonger[27108]: 2020-11-17 18:08:27 [27108] Internal
error
nov 17 18:08:29 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[28053]: Traceback (most
recent call last):
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in
<module>
sys.exit(main())
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 507, in main
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in
kinit_keytab
cred =
gssapi.Credentials(name=name, store=store, usage='initiate')
File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
store=store)
File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
usage)
File
"ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred
GSSError: Major
(851968): Unspecified GSS failure. Minor code may provide more information, Minor
(252963
now all the certs (except from kerberos and CA ones) are status: CA_UNREACHABLE.
CA cert is status: NEED_CSR_GEN_PIN
When you are moving back in time are you bringing the IPA services back
up? You need to do this manually if you have an NTP server enabled
(which it is by default).
Minimum you need to restart, in order, dirsrv.target, krb5kdc, named,
httpd, pki-tomcatd. If you restart certmonger it may kick off the
renewals for you (or it might not).
If you can get the services running back in time then runipa config-show
to determine whether this server is configured as the CA renewal server.
Only one in the cluster will have this role and the renewals need to
take place on that server. If this one isn't it and none of the others
report it then you can run: ipa config-mod --ca-renewal-master-server=<fqdn>
As Flo said the NEED_CSR_GEN_PIN is from your using ipa-cacert-manage.
It doesn't affect anything in the short term.
rob