Thanks for your response Rob, really appreciate it.
I have stopped the IPA and went back in time of Jan 7 of 2019 since Server-Cert
cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC
Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually.
[root@sl1mmgplidm0002 ~]# date
Mon Jan 7 20:23:50 CST 2019
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: STOPPED
named Service: STOPPED
ipa_memcached Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
pki-tomcatd Service: STOPPED
smb Service: STOPPED
winbind Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset:
disabled)
Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago
Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 58637 (java)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni
-classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom...
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting ProtocolHandler
["http-bio-8443"]
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM
org.apache.coyote.AbstractProtocol start
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting ProtocolHandler
["ajp-bio-0:0:0:0:0:0:0:1-8009"]
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener:
org.apache.catalina.core.StandardServer[after_start]
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA is
disabled.
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check
/var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable the
subsystem:
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server
subsystem-enable -i pki-tomcat ca
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM
org.apache.catalina.startup.Catalina start
Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server startup in 2477
ms
[root@sl1mmgplidm0002 ~]#
Ran " certmonger resubmit -i 20170214143200" but cert is still showing to
expires on same date, it is not forcing for it to update.
Status is changed to Monitoring now, but it is only because I went back in time.
Request ID '20170214143200':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
I have tried to restart certmonger with no luck. Please advise.
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, June 17, 2019 2:17 PM
To: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>; FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process would not start
Sayfiddin, Farhad wrote:
I think if you stop IPA, go back in time to when this server cert is valid (it is the TLS
cert for the CA server) and manually start dirsrv, dogtag and krb5 then run certmonger
resubmit -i 20170214143200
You want to be sure ntpd (or chronyc) isn't running to force time back to now.
rob
[root@sl1mmgplidm0002 ~]# getcert list Number of certificates and
requests being tracked: 8.
Request ID '20170214143155':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=CA Audit,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143156':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:54 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143157':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=CA Subsystem,O=IPA.GEN.ZONE
expires: 2020-12-01 18:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143158':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=Certificate Authority,O=IPA.GEN.ZONE
expires: 2037-01-18 20:02:36 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143159':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=IPA RA,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143201':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2020-12-23 03:40:21 UTC
principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE
track: yes
auto-renew: yes
Request ID '20170214143202':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2020-12-23 03:40:31 UTC
principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Already tried this solution with no luck:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpres
s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dwi
th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpS
yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOq
UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn3
204Kkt_3BRIc80&e=
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
IPA.GEN.ZONE IPA CA CT,C,C
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA
CA' -t ',,'
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA
CA' -t 'CT,C,C'
Curl command still fails
[root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert
/etc/ipa/ca.crt
https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to
connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
* Trying 172.20.0.36...
* Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443
(#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias/
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
* start date: Jan 18 20:16:52 2017 GMT
* expire date: Jan 08 20:16:52 2019 GMT
* common name: sl1mmgplidm0002.ipa.gen.zone
* issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here:
https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs_
sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r
=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk52
3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e=
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, June 13, 2019 4:08 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
would not start
Sayfiddin, Farhad via FreeIPA-users wrote:
> We have two replica servers sl1mmgplidm0001/2.
>
>
>
> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>
>
>
> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>
> IPA CA renewal master: sl1mmgplidm0001
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> [root@sl1mmgplidm0001 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> sl1mmgplidm0002 is having an issue where pki-tomcat process would not
> start due to expired cert. It has CA_UNREACHABLE error
>
>
>
> [root@sl1mmgplidm0002 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: STOPPED
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
> Request ID '20170214143200':
>
> status: CA_UNREACHABLE
>
> ca-error: Error 60 connecting to
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002-
> 3
>
A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e=
: Peer certificate cannot be authenticated with given CA certificates.
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=IPA
>
> subject: CN=sl1mmgplidm0002,O=IPA
>
> expires: 2019-01-08 20:16:52 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> Tried running renew_ca_cert command and "getcert resubmit -i" with no
luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't
help.
We need to see the full output of getcert list to see what status all the certs are in.
You might also try this:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpres
s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dwi
th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpS
yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOq
UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn3
204Kkt_3BRIc80&e=
rob