Hi there, still working on cert renewal with little bit of progress, hence asking kindly for more support until final resolution. As per the subject, certmonger renews two out of four certificates. [1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid [2] restart krb5kdc, 389, httpd, CA [3] Verify that CA is running. # SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to ca-ldap01.domain.com port 8443 (#0) * Trying x.x.x.x... * Connected to ca-ldap01.domain.com (IP) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/httpd/alias/ * CAfile: /etc/ipa/ca.crt CApath: none * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=ca-ldap01.domain.com,O=domain.com * start date: Jul 18 01:47:45 2018 GMT * expire date: Jul 07 01:47:45 2020 GMT * common name: ca-ldap01.domain.com * issuer: CN=Certificate Authority,O=domain.com * NSS: client certificate not found (nickname not specified) < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=UTF-8 < Transfer-Encoding: chunked < Date: Fri, 10 Aug 2018 08:54:11 GMT < { [data not shown] 100 17641 0 17641 0 0 203k 0 --:--:-- --:--:-- --:--:-- 205k * Connection #0 to host ca-ldap01.domain.com left intact [4] ipactl status reads: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: STOPPED pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [5] restart certmonger, four cert are in submitting status # getcert list | egrep "certificate|expire|status" Number of certificates and requests being tracked: 6. status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC [6] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SystemCertsVerification: system certs verification success 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [7] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is: # getcert list | egrep "certificate|expires" Number of certificates and requests being tracked: 6. certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-29 06:35:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-11 20:15:53 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC The question now is how to work around this problem? Instead of restarting certmonger service, is it better to renew certs with 'getcert resubmit' in some specific order? thanks, Zarko