It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n
"Server-Cert cert-pki-ca"
Number of certificates and requests being tracked: 9.
Request ID '20210601131824':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
If it expires in 2023 then you're ok with the CA anyhow.
Listed as expiring in 2021. Can I force this to be re-issued?
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
rob