Hi,
I've retried to move date three weeks before 2020-12-08 and renew cert manually
# ipa-getcert resubmit -i "ID"
Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent".
Here's one of the output log from journalctl -xe
# journalctl -xe
nov 17 18:08:27 ipa1.itec.lab certmonger[27108]: 2020-11-17 18:08:27 [27108] Internal
error
nov 17 18:08:29 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[28053]: Traceback (most
recent call last):
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in
<module>
sys.exit(main())
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 507, in main
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in
kinit_keytab
cred =
gssapi.Credentials(name=name, store=store, usage='initiate')
File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
store=store)
File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
usage)
File
"ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred
GSSError: Major
(851968): Unspecified GSS failure. Minor code may provide more information, Minor
(252963
now all the certs (except from kerberos and CA ones) are status: CA_UNREACHABLE.
CA cert is status: NEED_CSR_GEN_PIN