Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1780317
Description of problem: [root@master ~]# getcert list|grep -e expire -e certificate: certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' expires: 2021-11-24 10:20:04 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2039-12-05 10:19:25 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nic kname='Server-Cert',token='NSS Certificate DB' expires: 2021-12-05 10:20:58 EST certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' expires: 2021-12-05 10:21:24 EST certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' expires: 2021-12-05 10:21:38 EST [root@master ~]# hwclock --set --date="2025-08-14 16:45:05" [root@master ~]# hwclock --hctosys; date Thu Aug 14 16:45:10 EDT 2025 [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service zRestarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# date Thu Aug 14 16:47:48 EDT 2025 [root@master ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@master ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 3 Expires: 2021-11-24 15:19:26 Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=TESTREALM.TEST Serial: 4 Expires: 2021-11-24 15:19:26 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=TESTREALM.TEST Serial: 2 Expires: 2021-11-24 15:19:26 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=TESTREALM.TEST Serial: 5 Expires: 2021-11-24 15:19:26 IPA IPA RA certificate: Subject: CN=IPA RA,O=TESTREALM.TEST Serial: 7 Expires: 2021-11-24 15:20:04 IPA Apache HTTPS certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 9 Expires: 2021-12-05 15:21:24 IPA LDAP certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 8 Expires: 2021-12-05 15:20:58 IPA KDC certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 10 Expires: 2021-12-05 15:21:38 Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 15 Expires: 2027-08-04 20:49:57 Renewed Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=TESTREALM.TEST Serial: 16 Expires: 2027-08-04 20:49:58 Renewed Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=TESTREALM.TEST Serial: 17 Expires: 2027-08-04 20:49:59 Renewed Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=TESTREALM.TEST Serial: 18 Expires: 2027-08-04 20:49:59 Renewed IPA IPA RA certificate: Subject: CN=IPA RA,O=TESTREALM.TEST Serial: 19 Expires: 2027-08-04 20:49:59 Renewed IPA Apache HTTPS certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 20 Expires: 2027-08-15 20:50:00 Renewed IPA LDAP certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 21 Expires: 2027-08-15 20:50:00 Renewed IPA KDC certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 22 Expires: 2027-08-15 20:50:01 Becoming renewal master. The ipa-cert-fix command was successful [root@master ~]# getcert list|grep -e expire -e certificate: certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' expires: 2021-11-24 10:20:04 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2039-12-05 10:19:25 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nic kname='Server-Cert',token='NSS Certificate DB' expires: 2021-12-05 10:20:58 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' expires: 2021-12-05 10:21:24 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' expires: 2021-12-05 10:21:38 EST Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1780317
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @frenaud: - Issue assigned to frenaud (was: rcritten)
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5825
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.