Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
You are looking for an entry in the Dogtag CA DIT (base DN
`o=ipaca'),
not the FreeIPA DIT. You should check on a CA replica.
I don't have a replica right now (I'm in the middle of a disaster!)...
Some more detail: setting system date in an interval in which all
certificates are valid, certmonger leave requests in "SUBMITTING" state.
Outside this interval requests go in "CA_UNREACHABLE" state (post to
https://$SERVER/ipa/xml gives http 500).
All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried
because services certificates weren't updated by certmonger.
Now the question is: is there a way to rollback this operation in order
to perform the date-in-the-past trick?
TIA,
Giulio