Thanks for your reply. Here is the output of "kinit admin; ipa cert-show 1": ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@ourorg.COM' ipa: INFO: trying https://login1.ourorg.com/ipa/json ipa: DEBUG: Created connection context.rpcclient_140248688553680 ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://login1.ourorg.com/ipa/json' ipa: DEBUG: HTTP connection destroyed (login1.ourorg.com) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 694, in single_request h = self.make_connection(host) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 573, in make_connection conn.connect() File "/usr/lib64/python2.7/httplib.py", line 1275, in connect server_hostname=sni_hostname) File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 609, in __init__ self.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) ipa: DEBUG: Destroyed connection context.rpcclient_140248688553680 ipa: ERROR: cannot connect to 'https://login1.ourorg.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
And output of "ipactl status", note as I mentioned in the first post pki-tomcatd service was failing even before certificates got expired.
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful