On 16/01/2018 12:14, Roderick Johnstone via FreeIPA-users wrote:
Hi Rob
This is all on my first master server.
I put the clock back to when the certificates that O restore form backup
are all valid.
I restored the databases in /etc/httpd/alias and
/etc/pki/pki-tomcat/alias from the last good backup I had.
I also restored the CS.cfg file from backup.
I updated the trusts in /etc/pki/pki-tomcat/alias for
caSigningCert cert-pki-ca
to match what is in section 5 of:
https://access.redhat.com/solutions/643753 This was previously:
caSigningCert cert-pki-ca CTu,u,u
for some reason.
I stopped the certmonger service and run the certmonger command you gave
to start verbose logging.
I was able to start all the ipa services after running:
pki-server subsystem-enable ca
(this seems to become disabled when the tomcatd service cannot start.
I ran getcert resubmit -i <requestid> for the expiring certificates.
The first one I tried (ocspSigningCert) renewed but gets an odd Subject.
It includes the hostname of one of my replica servers.
The other certificates have not renewed.
As you said, there is a large amount of info in the verbose certmonger
debug logs, but it is not immediately obvious to me what has gone wrong,
except that there are some instances of:
Internal error
Would you be prepared to have a look at the log file off-list (3.3MB
file, uncompressed) to see if it means more to you.