#8721 The ipa-cert-fix command failed. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
Closed: fixed a year ago by ftweedal. Opened a year ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1779984

Description of problem:

With repeated date changing and setting back and forth.
ipa-cert-fix failed to renew the certs.

# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=IPA RA,O=IPA.TEST
        expires: 2027-11-03 17:24:24 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20191204141340':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Audit,O=IPA.TEST
        expires: 2027-11-03 17:24:22 EDT
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141341':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=OCSP Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:15 EDT
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141342':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:23 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141343':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=Certificate Authority,O=IPA.TEST
        expires: 2039-12-04 09:12:31 EST
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141344':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-03 17:24:34 EDT
        dns: master.ipa.test
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141408':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick
name='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname=
'Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:44 EST
        dns: master.ipa.test
        principal name: ldap/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
        track: yes
        auto-renew: yes
Request ID '20191204141434':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p
infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:32 EST
        dns: master.ipa.test
        principal name: HTTP/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20191204141448':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:23 EST
        principal name: krbtgt/IPA.TEST@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
[root@master ~]# time^C
[root@master ~]# date
Thu Nov 13 17:39:34 EST 2025
[root@master ~]#
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 5025"
date: cannot set date: Invalid argument
Sun Nov 13 17:23:34 EST 5025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 50^C"
[root@master ~]# date
Thu Nov 13 17:41:21 EST 2025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 3025"
date: cannot set date: Invalid argument
Sun Nov 13 17:23:34 EST 3025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2125"
Tue Nov 13 17:23:34 EST 2125
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# time ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

real    0m21.731s
user    0m2.544s
sys     0m0.317s
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2225"
Sun Nov 13 17:23:34 EST 2225
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# time ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

real    0m22.144s
user    0m2.530s
sys     0m0.352s
[root@master ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=IPA RA,O=IPA.TEST
        expires: 2027-11-03 17:24:24 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20191204141340':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Audit,O=IPA.TEST
        expires: 2027-11-03 17:24:22 EDT
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141341':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=OCSP Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:15 EDT
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141342':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:23 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141343':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=Certificate Authority,O=IPA.TEST
        expires: 2039-12-04 09:12:31 EST
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141344':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-03 17:24:34 EDT
        dns: master.ipa.test
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141408':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick
name='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname=
'Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:44 EST
        dns: master.ipa.test
        principal name: ldap/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
        track: yes
        auto-renew: yes
Request ID '20191204141434':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p
infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:32 EST
        dns: master.ipa.test
        principal name: HTTP/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20191204141448':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:23 EST
        principal name: krbtgt/IPA.TEST@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
[root@master ~]#
[root@master ~]#
[root@master ~]#
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 1925"
date: cannot set date: Invalid argument
Fri Nov 13 17:23:34 EST 1925
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2017"
Mon Nov 13 17:23:34 EST 2017
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"
Mon Nov 13 17:23:34 EST 2090
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"^C
(reverse-i-search)`cert': service ^Crtmonger restart
[root@master ~]# ip-acer^C
[root@master ~]# ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  29
  Expires: 2027-11-03 21:24:34

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  28
  Expires: 2027-11-03 21:24:23

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  30
  Expires: 2027-11-03 21:24:15

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  26
  Expires: 2027-11-03 21:24:22

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=IPA.TEST
  Serial:  27
  Expires: 2027-11-03 21:24:24

IPA Apache HTTPS certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  24
  Expires: 2027-11-14 22:29:32

IPA LDAP certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  25
  Expires: 2027-11-14 22:29:44

IPA KDC certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  23
  Expires: 2027-11-14 22:29:23

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  29
  Expires: 2091-02-13 22:24:04

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  16
  Expires: 2027-11-03 21:26:07

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  17
  Expires: 2027-11-03 21:26:08

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  18
  Expires: 2027-11-03 21:26:09

[Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
The ipa-cert-fix command failed.
[root@master ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=IPA RA,O=IPA.TEST
        expires: 2027-11-03 17:24:24 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20191204141340':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Audit,O=IPA.TEST
        expires: 2027-11-03 17:24:22 EDT
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141341':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=OCSP Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:15 EDT
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141342':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=CA Subsystem,O=IPA.TEST
        expires: 2027-11-03 17:24:23 EDT
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141343':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=Certificate Authority,O=IPA.TEST
        expires: 2039-12-04 09:12:31 EST
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141344':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot
be authenticated with given CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-03 17:24:34 EDT
        dns: master.ipa.test
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20191204141408':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick
name='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname=
'Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:44 EST
        dns: master.ipa.test
        principal name: ldap/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
        track: yes
        auto-renew: yes
Request ID '20191204141434':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p
infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:32 EST
        dns: master.ipa.test
        principal name: HTTP/master.ipa.test@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20191204141448':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.test/ipa/xml failed request,
will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.
libcurl failed even to execute the HTTP transaction, explaining:  SSL
certificate problem: certificate has expired).
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=master.ipa.test,O=IPA.TEST
        expires: 2027-11-14 17:29:23 EST
        principal name: krbtgt/IPA.TEST@IPA.TEST
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

Version-Release number of selected component (if applicable):
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 (Ootpa)
[root@master ~]# rpm -qa|grep ipa
python3-libipa_hbac-2.2.0-19.el8.x86_64
python3-iniparse-0.4-31.el8.noarch
python3-ipaclient-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
libipa_hbac-2.2.0-19.el8.x86_64
ipa-server-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
python3-ipalib-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-client-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
ipa-server-trust-ad-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
sssd-ipa-2.2.0-19.el8.x86_64
redhat-logos-ipa-81.1-1.el8.noarch
python3-ipaserver-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-server-dns-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-client-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch

# ipa-cert-fix --version
4.8.0

# ipa-cert-fix -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.install.sysrestore: DEBUG: Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.installutils: DEBUG: httpd is configured
ipaserver.install.installutils: DEBUG: kadmin is configured
ipaserver.install.installutils: DEBUG: dirsrv is configured
ipaserver.install.installutils: DEBUG: pki-tomcatd is configured
ipaserver.install.installutils: DEBUG: install is not configured
ipaserver.install.installutils: DEBUG: krb5kdc is configured
ipaserver.install.installutils: DEBUG: named is configured
ipaserver.install.installutils: DEBUG: filestore has files
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS]

      --cert <Cert ID>            Fix specified system cert (default: all
certs).
      --extra-cert <Serial>       Also renew cert with given serial number.
      --agent-uid <String>        UID of Dogtag agent user
      --ldapi-socket <Path>       Path to DS LDAPI socket
      --ldap-url <URL>            LDAP URL (mutually exclusive to
--ldapi-socket)
  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).
  -p, --port <port number>        Secure port number (default: 8443).
  -v, --verbose                   Run in verbose mode.
      --debug                     Run in debug mode.
      --help                      Show help message.


ipapython.ipautil: DEBUG: stderr=
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module
ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module
ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_139775471691928
ipalib.install.sysrestore: DEBUG: Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in
sysupgrade
ipalib.install.sysrestore: DEBUG: Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
ipalib.install.sysrestore: DEBUG: Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
ipaserver.install.dsinstance: DEBUG: Found certificate subject base in
sysupgrade: O=IPA.TEST
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f2002ce5a58>
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a',
'-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDpzCCAg+gAwIBAgIBHTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz
MjIyNDA0WhgPMjA5MTAyMTMyMjI0MDRaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw
FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC4mD9RpmAgwr+7o2PiIsIqAySEiFWQI2/H3ZVPwTElKgPLZrxIfnCm
UKB2N586BrOjjU45eAYcHJZMHoLjELsUpHhfdqPrjACJqWiZjS4beWnMaxmJpVwv
nGMaSjA4l/Fk6CEC8vxZHFhkNKJIQzB0PNrQKUZSeLr8RQOcGyUvZtRsicnIcbj3
OK4d5rhkL8ajiroqmyWhwRHlapmN82EgEm48Fa6GOyLh0tHYd67kJSmhjfUsUzso
IzSi4iMHbBgDRswKWRSQfV3OPEdakHl01vSMo2TBQqxEERoZw6bXnU5pLKKHFa3+
1+LgRKMRbg8GvPBa+lD4MWmS0beHjxx3AgMBAAGjSDBGMB8GA1UdIwQYMBaAFJfL
G1HRhskWb2mHp7o0OGpstD47MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB
/wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAsboOlOYSI4GQNK0akiRn2cvBPFxx
9t/KvtcWfsQKhgM+vOvd1Zr0qytd2o1gAmc/I+l0tVElnBbmEHCqSBoYy7CKOqwQ
frn2Sa8l1OkyP9dtn2rSMAEWdniEu7zPpj70+yT0b5c+f5tE9ZRPPw3SgkCd3n02
IJzBtdTCUt2kfk3RobQABSBfh6h1g4unwt/TWGHqPqP6fm2zamdzY4LVisYYTxd/
Q9GBDy6N0cnEPyGUhEIFLka9A7HNsL8hy5pd3HTYJK7d9zm57NZlqISy66v7vHwI
3p7dggI/lR/X2JOZIDItgXybsTPzkRwBtmTTzPF+8DBWQ8Y55dN5HRhT6M32aJ3B
nsv784zK/0FOieJJ4ajpKbudlZohVJTKQeoEMozovT9h9q3HE8lDkGP2xukFbHvl
B1jiX9JdMSTzSu4TWNkNwTurMv9Otuq0CfzQ4H4GNh3XVfr8totgq1my+zokTjzD
l0jqJzkOQDWV+gjB8jMxWQfiK9/76JYYgZd5
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a',
'-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID3jCCAkagAwIBAgIBHDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQyM1oXDTI3MTEwMzIxMjQyM1owKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV
BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AOYxzBk0FKr6yHdrQNo41A4PTvfOs6QRHPvVau+c5lCc9Q6ySfl27vgxnckdJQsF
wiMLA1/6Bh0o9O/wYHzKRNvDZl3b4+YhZyHLnSNh5LYwkPp9V8F2zPGcEq935nDd
/nt5FsBQLv1hNOvjSdhHwFYPg5iPrFiNDI/ROwALzJ2m3sbtt1ACMaHCHqhQdQEx
1DFWbn6lh2+rsPSf+VaG8uYVINGuF6eXjiwQoSqwh2quwe4vJzVpmZBxigkiTYWj
/vz8IraXRceUTamV3k9iOMJoaHkW2OyL6OA8ho4UYzYLNFEfzfXzWPK5nxeqT23n
epMIRjD0LHDk4eyybCLumAUCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSXyxtR0YbJ
Fm9ph6e6NDhqbLQ+OzA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6
Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0l
BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBABF5frmGQLnKd+Lk8SSK
K/Duua4VfE73YawMjHcmjihRFQi100zDyXvhqUyde/VTJ6R5J9YKyHyysfwTb+GT
Zy98EA791j1EONejHBuu6OOXK0AEWxJcHu/Hj9cuRH4VkY7wwgZpEp78sK+LQs0H
DwUwAM9eDLCMPn5BBswMMjXgbqIMye6Vr96eNOxXHkKtzK2vPJv1drWQBTv6Ji6h
o2KhHmzqn66h19VS9cojH067UY8YhZa0k+/huf/abeHrbcTxNiwyBk/wswW7fW5G
o1dJISTvYvAb8wfdCFUe1c5sH5t+1DOsFYT9k6l/zxwz4/ysrz+ak0l/a0+ykNsM
kOXyJ8hQosvyJhH2fUDi7X1lC1IuLyO6wZ5knfU7tODdj6DbSHKHyvSFaD9ghSxO
aeDygw6x1LkAasl1tDxPdH9sP+m1+j58JHaRuYoobKoj39TFRyypGvGBEFgi75YD
QqU6Adi4b1LaNnm/iKDfV/jnnLEBN8USWGh6xOj/trYvhg==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca',
'-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID4TCCAkmgAwIBAgIBHjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQxNVoXDTI3MTEwMzIxMjQxNVowLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV
BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAo/XaoCSJ81ppekpnlZEHk7wGwweWI7PpTEZE/YU7Zv2trXS0Ju1sXTYK9M54
DUNRYMtdL2jO2VDhrIopXTIc+rT1+dyNSbYt2wjDeuP7qatsmiuyDSIwRIpkU9Ic
QQl1yzufNwAwK+f2mzwECSHppdwja57LIgjQw1ItVNU75JFxFQyQZOrqurULSuDL
vIOGcc7cSf71gol/Cl/1xQVrJ4xOJoLx+NaOvdCC74+/hsareLmC3jOzI4daw/0L
mJWyDNDZZ7LBO+vM8Dh3Z+MGoBwb0IHLB50WqUA6XZzDEK9PUjVICpevQN3fw7Q9
bCN59CEoxWV7uPO847xi+LaiAwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJfLG1HR
hskWb2mHp7o0OGpstD47MA8GCSsGAQUFBzABBQQCBQAwOgYIKwYBBQUHAQEELjAs
MCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwEwYD
VR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggGBANKVSZlUZoOGE70c
VPj1TaH8iVmEGNYIPhXWJbkQyZtkA5DkF/EXXbtbAMSdK41hAEi3JMJL+18NVaZr
ikgOnfADS2Cw3HOh9y97ogBSUGskm774VXzTrHNTBCXQL06vsFGN90zoXTppA2m9
NouwipHdyMYdkK5PWIeX++GjKBkJ7YlzynbTaUaIQrZ7nM34ZH8sQmdjsxsPgF5G
it5KNQRZiLdpALIyHfmQjPU7iNpBFS1N9IQNZ/MK0ECinhFHjFBmKYqQIysubyxr
yfkYoWtKMPG/4aQO6ljvdAvRS2g0ns/dulCExzIMZPw3laRi6GUI2ejCIjgUDktm
D5rn5KTQvNqMdevLvEY+g/r8rgwVzUGbedoILzzdFEs0POkMgh/WwEFTSNFBbtyI
gP6Va3zQPuII8EASKWAc03d5lBD4lDGz+pUl3IT7IPqGgx6cFfhzeWIvN1FKX6I2
NFnTMW4qomom78U4bPe08/j/Z50HURSgUgstJHe1OchbY4eWEg==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca',
'-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDpjCCAg6gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQyMloXDTI3MTEwMzIxMjQyMlowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV
BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulsA
fyMFGpAw9Q5izl4gVwheybTa/oDqOOjgh85UDIdihw9rqrZ4GaxVOiUbmi1RkY88
5eC4eNcUF535IbVfrOYavaFi5Npgdz7J6rlEflMiO4eaO4FEuGxnkpv0qZ+wf+DQ
1GiFAjDIvqpc4rTgsLPze+JOJGUc7aKKwhEohbYR4gDk7NwygZtJLzyY3OM0Kjcf
mODlYhpyFbirfNRzGyzyGQoOj3HU3JMD09OziB8tMhgtQdYWAIjUm4UkPhOjWNoy
0Uqai7acTMM0TcXhUZob7kUZkv/QxEtj/h6c+rr+hIiHLZCYl8XfpoE6V7HoYNVq
EBYDv3BqBTB5gUZrWwIDAQABo1IwUDAfBgNVHSMEGDAWgBSXyxtR0YbJFm9ph6e6
NDhqbLQ+OzAdBgNVHQ4EFgQUP0Xr87z2PdCjqwCgcxgIoQmWGokwDgYDVR0PAQH/
BAQDAgbAMA0GCSqGSIb3DQEBCwUAA4IBgQAy1fKqysM1UhoK0WmqnaVpX9S/mAGc
ieR9ZkqRJgnmNhK4h6vVILaMeY7qHafMR4TDB8Ch36jOOAKEL65tH8sdZOrg7S+a
c6s9C0EPNM3YSHRvwKfbn5o0AvE7xfHN7Q8EAe/aGvW5K2Dr2USLlBdKxI04HRsQ
lEIjE/kIJFpbTtONO23L5IRq18O5LCpZDjj9IrBY2v5jRTVEj5QZP+O5WIW08cUl
37JUFYUDyd17iOPZm+AYelQ0vWUseTKlQyFGeX/UKESybYE0cgCbt89eYawhbVUZ
54kPOIHGaiAppNbE2cd/rdopshy2QddA99zZGmIkSKMP/g4lMePmY3EXTOCV+xl4
TulKr8XcASZfEjD1TIthH8MjEjm/tEDbfNj5dHZKUdGg9+TiyxhjwbfdZl0K+Dh2
AUv1x3HH0+MVjGCfZpjQGG269Cc9oUZdqnLHx42/icbZ5a14sOs7n6IsSNeIEAeE
iukk7iKDxHCytBNx3FkmvZOoloREmE9gLaI=
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra',
'-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert
cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a',
'-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert
cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra',
'-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert:
auditSigningCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f',
'/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIFDDCCA3SgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
Mjk0NFoXDTI3MTExNDIyMjk0NFowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV
BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAOAFNDpoWxUF0/EOmKGws7tGrTLQkvrfz/37KWIjoN+kJVkHv+hD8o/ZBJN7
QXUYrnU7woEzyu/lCQpiikzo55kF2Vq6VLY3KznQJAz5G/ph3VI7BnzoBtfJinso
nor7RgbliSZyBuGTDhXBFIamDKBqSMahjjuLdlCoa9BHcek+vtXVKVe+lXz5Qb/9
nS8nKtvc1LZzX/nfrMkxGXzT/X3x2DDqsL2rZOHh8KscWrkgLp3hs+TL9gps+PMq
sRdB8YtmaUUZcDJ6g1Q2fEwWAhCDfL6QNQdYFCYo2ObNjFZDvzaXGsUSVN5GYfwI
NruwqpxIJWlBcDu9Vdi/1cld75UCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFJfL
G1HRhskWb2mHp7o0OGpstD47MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFDGSeeKRlOjqf8olA9SkU3ChzYd8MIGIBgNVHREEgYAwfoIP
bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh
LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB
AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA
5HY3QvTiDdNFvGrAoqwfdPnkTxKTHCGsX7I0Ouq8HpellClEKD4rB8uhEYq160J/
NrnwVXiVyoHcix4UaXWtL0f8nqIYtD+EWk+0fLLwBWjFyuh4+6moDFfO9cpiaND8
e1vu8lISIvwfv/uxxhRe0XVR4rPZ32HFpBSpDUXYS8CoF6atE1HwQmuokPX5bsoy
bQMocYvUsSTSO4spYi9guB4xNnPPtp316FjCwt/OezjUlpsyUUJTlNsmTyWJwfVz
TNX9mXo/29hKY90d2oo3ywM2P3A8smnVSjFG2fiV7w9wr7GNonw7iB/p6wMvs8q0
+VPvX+ssLhSOvAwOrcBzSzvid09xGQsRDBnPX4oRCEyJmlL9G1OXg/FgNgaStEzR
dzSI8Vjx0+bEzTeRzkaUFQw5xE79VyCGu8F+AYi1PGrqw+7A3KPIPj9b/m7GmIZX
+lnkSHMMETlfIV8p8IeqmKDktrPUhwrY2zbYZm1/rcBJ97fSB18jNP6ejWYd152u
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  28
  Expires: 2027-11-03 21:24:23

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  30
  Expires: 2027-11-03 21:24:15

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  26
  Expires: 2027-11-03 21:24:22

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=IPA.TEST
  Serial:  27
  Expires: 2027-11-03 21:24:24

IPA Apache HTTPS certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  24
  Expires: 2027-11-14 22:29:32

IPA LDAP certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  25
  Expires: 2027-11-14 22:29:44

IPA KDC certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  23
  Expires: 2027-11-14 22:29:23

Enter "yes" to proceed: yes
Proceeding.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket',
'/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert',
'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing',
'--extra-cert', '27', '--extra-cert', '24', '--extra-cert', '25',
'--extra-cert', '23']
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading instance registry:
/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing',
'ca_audit_signing']
INFO: Renewing the following additional certs: ['27', '24', '25', '23']
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Starting the instance
INFO: Sleeping for 10 seconds to allow server time to start...
INFO: Requesting new cert for subsystem
INFO: Getting subsystem cert info for ca from CS.cfg
INFO: Getting subsystem cert info for ca from NSS database
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 28
INFO: Stopping the instance
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in
review_request
    r = self.connection.get(url, headers=self.headers)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
    return func(self, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get
    r.raise_for_status()
  File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in
raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error:  for url:
https://master.ipa.test:8443/ca/rest/agent/certrequests/39

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in
<module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142,
in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in
execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in
execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in
execute
    username=agent_uid, password=agent_pass, secure_port=port)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in
cert_create
    PKIServer.renew_certificate(connection, new_cert_file, serial)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in
renew_certificate
    ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in
enroll_cert
    self.approve_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in
approve_request
    request_id, cert_review_response, 'approve')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in
_perform_action
    cert_review_response = self.review_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    raise pki_exception
pki.ForbiddenException: Authentication method not allowed.
ERROR: Authentication method not allowed.

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  16
  Expires: 2027-11-03 21:26:07

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  17
  Expires: 2027-11-03 21:26:08

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  18
  Expires: 2027-11-03 21:26:09

ipapython.admintool: DEBUG:   File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py",
line 130, in run
    install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py",
line 262, in install_ipa_certs
    cert = x509.load_certificate_from_file(cert_path)
  File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in
load_certificate_from_file
    with open(filename, mode='rb') as f:

ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
ipapython.admintool: ERROR: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
ipapython.admintool: ERROR: The ipa-cert-fix command failed.


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
certs should get renewed.

Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1779984

a year ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5579
- Issue assigned to ftweedal

a year ago

master:

  • 8c2c6f8 (HEAD) ipa-cert-fix: improve handling of 'pki-server cert-fix' failure

ipa-4-9:

  • f2b1b5b (HEAD) ipa-cert-fix: improve handling of 'pki-server cert-fix' failure

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

master:

  • 1605789 ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg

ipa-4-9:

  • 02c0da3 ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg

Login to comment on this ticket.

Metadata