What I did:
1. ipactl stop
2. checkec that ntpd is stopped
3. set date to March 8
4. manually start the IPA services: dirsrv, krb5kdc, httpd, pki-tomcatd:
systemctl start dirsrv@EXAMPLE-COM
systemctl start krb5kdc
systemctl start httpd
systemctl start pki-tomcatd@pki-tomcat
pki-tomcatd does not start according by the "ipactl status" command:
pki-tomcatd Service: STOPPED
systemctl status pki-tomcatd@pki-tomcat shows that service is started but with next
logs:
pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset:
disabled)
Active: active (running) since Tue 2022-03-08 05:51:09 UTC; 1 months 27 days ago
Process: 11336 ExecStop=/usr/libexec/tomcat/server stop (code=exited,
status=0/SUCCESS)
Process: 11369 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 11493 (java)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─11493 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni
-classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
org.apache.catalina.startup.Bootstrap start
Mar 08 05:51:35
freeipa.example.com server[11493]: PKIListener: Check
/var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
Mar 08 05:51:35
freeipa.example.com server[11493]: PKIListener: To enable the subsystem:
Mar 08 05:51:35
freeipa.example.com server[11493]: PKIListener: pki-server
subsystem-enable -i pki-tomcat ca
Mar 08 05:51:46
freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Stopping
authenticators
Mar 08 05:51:46
freeipa.example.com server[11493]: SEVERE: The web application [/ca]
appears to have started a thread named [LDAPConnThread-3 ldaps://freeipa.example.com:389]
but has failed to stop it. This is very likely to create a memory leak.
Mar 08 05:51:46
freeipa.example.com server[11493]: SEVERE: The web application [/ca]
appears to have started a thread named [LDAPConnThread-7 ldaps://freeipa.example.com:389]
but has failed to stop it. This is very likely to create a memory leak.
Mar 08 05:51:46
freeipa.example.com server[11493]: SEVERE: The web application [/ca]
appears to have started a thread named [authorityMonitor] but has failed to stop it. This
is very likely to create a memory leak.
Mar 08 05:51:46
freeipa.example.com server[11493]: SEVERE: The web application [/ca]
appears to have started a thread named [LDAPConnThread-9 ldaps://freeipa.example.com:389]
but has failed to stop it. This is very likely to create a memory leak.
Mar 08 05:51:46
freeipa.example.com server[11493]: SEVERE: The web application [/ca]
appears to have started a thread named [profileChangeMonitor] but has failed to stop it.
This is very likely to create a memory leak.
Mar 08 05:51:46
freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Setting
container
In /var/log/pki/pki-tomcat/ca/selftests.log:
0.localhost-startStop-1 - [08/Mar/2022:05:49:24 UTC] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid:
Invalid certificate: (-8181) Peer's Certificate has expired.
0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Problem with "Certificate ocspSigningCert cert-pki-ca".
How to fix it?
It means that the 8th won't work. As I mentioned, you need to find a
date/time where all the certs are valid. Scanning the output by eye is
difficult. I'd suggest:
getcert list -d /etc/pki/pki-tomcat/alias | egrep "certificate:|expires"
Use those expires to figure out when to back in time to.
IIRC the 389 and Apache certs weren't renewed so they should still be
valid in early March.
rob