Thanks for your reply. Here is the output of "kinit admin; ipa
cert-show 1":
ipa: DEBUG: failed to find session_cookie in persistent storage for principal
'admin(a)ourorg.COM'
ipa: INFO: trying
https://login1.ourorg.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140248688553680
ipa: INFO: [try 1]: Forwarding 'schema' to json server
'https://login1.ourorg.com/ipa/json'
ipa: DEBUG: HTTP connection destroyed (
login1.ourorg.com)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 694, in
single_request
h = self.make_connection(host)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 573, in
make_connection
conn.connect()
File "/usr/lib64/python2.7/httplib.py", line 1275, in connect
server_hostname=sni_hostname)
File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:618)
ipa: DEBUG: Destroyed connection context.rpcclient_140248688553680
ipa: ERROR: cannot connect to 'https://login1.ourorg.com/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
And output of "ipactl status", note as I mentioned in the first post
pki-tomcatd service was failing even before certificates got expired.
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
We need to start by getting the CA running properly while back in time
when the certs are still valid. There is no way to re-issue the
certificates without it.
Can you share the logging and output from your verification of the pki
subsystem certificate?
rob