No, CA component is not running, and seems not much activity under
/var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid:
Invalid certificate: (-8181) Peer's Certificate has expired.
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
[2] catalina.log
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did
not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property
Flo, if I can suspect on this .... I recall before incident this one expires on 2036, now
it's 2038
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2038-10-22 18:15:48 UTC
track: yes
auto-renew: yes
And URI was hostname, not ipa-ca.
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep
URI
URI: "http://ipa-ca.domain.com/ca/ocsp"
Is there way to "manually" revert change or renew a cert?