Tran Ngoc Duc via FreeIPA-users wrote: > Hello Rob, > > I checked the latest Tomcat version available in the CentOS 9 repositories is > 9.0.87-2.el9. So I had to download tomcat package from official Tomcat > downloads page. > > I backup old folder tomcat. I untar it and replace old folder tomcat. > After that I replace /usr/share/tomcat/lib by /root/apache-tomcat-9.0.98/lib > > I change time system for test renewal, I set time to 7 days before > certificates expire. > > Example (I set time to 2026-04-22) > Request ID '20240627032920': > status: MONITORING ==> SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issued: 2024-05-09 18:56:38 UTC > expires: 2026-04-29 18:56:38 UTC > ===============> > Request ID '20240627032920': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issued: 2025-01-10 09:23:55 UTC > expires: 2026-12-31 09:23:55 UTC >
That is the "what" but not the "why". What is your goal in manually updating tomcat? Why are you manually moving time forward? Is it merely to test that renewal will work? Did you tweak anything else? Did you have a time service running? You moved time into 2026 but got a certificate issued in 2025. The CA uses standard time routines to obtain the date and time. It won't go backwards on its own. Even still it only issued a certificate valid for 11 months. Something else is going on here. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
