We have been working to solve an expired certificate issue in IPA.  There is an open ticket in Red Hat support CASE 02438518.  We have tried many things but so far have had no luck getting the certs to update.  Currently the system is running RHEL 8.0 and IPA 4.7.1.    

pki-server cert-fix -n 'subsystemCert cert-pki-ca' -d /var/lib/pki/pki-tomcat/alias/ -C /root/passwd -vvv
INFO: Loading instance: pki-tomcat
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Getting signing cert info for ca from CS.cfg
INFO: Getting signing cert info for ca from NSS database
INFO: Getting ocsp_signing cert info for ca from CS.cfg
INFO: Getting ocsp_signing cert info for ca from NSS database
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Getting subsystem cert info for ca from CS.cfg
INFO: Getting subsystem cert info for ca from NSS database
INFO: Getting audit_signing cert info for ca from CS.cfg
INFO: Getting audit_signing cert info for ca from NSS database
INFO: Fixing the following certs: ['ca_ocsp_signing', 'sslserver', 'subsystem', 'ca_audit_signing']
INFO: Stopping the instance to proceed with system cert renewal
INFO: Selftests disabled for subsystems: ca
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: CSR for sslserver has been written to /tmp/tmpg_738l5a/sslserver.csr
INFO: Getting signing cert info for ca from CS.cfg
INFO: Getting signing cert info for ca from NSS database
INFO: CA cert written to /tmp/tmpg_738l5a/ca_certificate.crt
INFO: AKI: 0x1D0F356A3E7A6968A231723231EB22DA5A01F542
INFO: Temp cert for sslserver is available at /etc/pki/pki-tomcat/certs/sslserver.crt.
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Updating CS.cfg with the new certificate
INFO: Getting ocsp_signing cert info for ca from CS.cfg
INFO: Getting ocsp_signing cert info for ca from NSS database
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 49
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 356, in connect
    ssl_context=context)
  File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 350, in ssl_wrap_socket
    context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 119, in <module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 111, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1154, in execute
    renew=True)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1709, in cert_create
    PKIServer.renew_certificate(connection, new_cert_file, serial)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 202, in renew_certificate
    ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1011, in enroll_cert
    enroll_request = self.create_enrollment_request(profile_id, inputs)
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 962, in create_enrollment_request
    enrollment_template = self.get_enrollment_template(profile_id)
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 942, in get_enrollment_template
    r = self.connection.get(url, self.headers)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
    return func(self, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 160, in get
    timeout=timeout,
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 537, in get
    return self.request('GET', url, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 524, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 637, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))
ERROR: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))
[root@ipa2 ~]# echo "--Certificate:" && openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem && echo "--Key:" && openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key
--Certificate:
Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
--Key:
Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
[root@ipa2 ~]# openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key | openssl md5
(stdin)= 0915781edbe620c5791cda50f310c538
[root@ipa2 ~]# openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem | openssl md5
(stdin)= 0915781edbe620c5791cda50f310c538

Looking at the cert and the key, they are a match and modulus also matches.  What I can't figure out is why I am seeing this error if the key and cert match.  Is it possible to have a timestamp issue, or is there some other reason that I can't find.  Any help would be greatly appreciated.

Randy Morgan