Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1779984
Description of problem: With repeated date changing and setting back and forth. ipa-cert-fix failed to renew the certs. # getcert list Number of certificates and requests being tracked: 9. Request ID '20191204141310': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=IPA RA,O=IPA.TEST expires: 2027-11-03 17:24:24 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20191204141340': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Audit,O=IPA.TEST expires: 2027-11-03 17:24:22 EDT key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141341': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=OCSP Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:15 EDT eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141342': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:23 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141343': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=Certificate Authority,O=IPA.TEST expires: 2039-12-04 09:12:31 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141344': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-03 17:24:34 EDT dns: master.ipa.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141408': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick name='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname= 'Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:44 EST dns: master.ipa.test principal name: ldap/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20191204141434': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:32 EST dns: master.ipa.test principal name: HTTP/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20191204141448': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:23 EST principal name: krbtgt/IPA.TEST@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@master ~]# time^C [root@master ~]# date Thu Nov 13 17:39:34 EST 2025 [root@master ~]# [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 5025" date: cannot set date: Invalid argument Sun Nov 13 17:23:34 EST 5025 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 50^C" [root@master ~]# date Thu Nov 13 17:41:21 EST 2025 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 3025" date: cannot set date: Invalid argument Sun Nov 13 17:23:34 EST 3025 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2125" Tue Nov 13 17:23:34 EST 2125 [root@master ~]# service certmonger restart Redirecting to /bin/systemctl restart certmonger.service [root@master ~]# time ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful real 0m21.731s user 0m2.544s sys 0m0.317s [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2225" Sun Nov 13 17:23:34 EST 2225 [root@master ~]# service certmonger restart Redirecting to /bin/systemctl restart certmonger.service [root@master ~]# time ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful real 0m22.144s user 0m2.530s sys 0m0.352s [root@master ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20191204141310': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=IPA RA,O=IPA.TEST expires: 2027-11-03 17:24:24 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20191204141340': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Audit,O=IPA.TEST expires: 2027-11-03 17:24:22 EDT key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141341': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=OCSP Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:15 EDT eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141342': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:23 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141343': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=Certificate Authority,O=IPA.TEST expires: 2039-12-04 09:12:31 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141344': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-03 17:24:34 EDT dns: master.ipa.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141408': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick name='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname= 'Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:44 EST dns: master.ipa.test principal name: ldap/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20191204141434': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:32 EST dns: master.ipa.test principal name: HTTP/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20191204141448': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:23 EST principal name: krbtgt/IPA.TEST@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@master ~]# [root@master ~]# [root@master ~]# [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 1925" date: cannot set date: Invalid argument Fri Nov 13 17:23:34 EST 1925 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2017" Mon Nov 13 17:23:34 EST 2017 [root@master ~]# service certmonger restart Redirecting to /bin/systemctl restart certmonger.service [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090" Mon Nov 13 17:23:34 EST 2090 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"^C (reverse-i-search)`cert': service ^Crtmonger restart [root@master ~]# ip-acer^C [root@master ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 29 Expires: 2027-11-03 21:24:34 Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 28 Expires: 2027-11-03 21:24:23 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 30 Expires: 2027-11-03 21:24:15 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 26 Expires: 2027-11-03 21:24:22 IPA IPA RA certificate: Subject: CN=IPA RA,O=IPA.TEST Serial: 27 Expires: 2027-11-03 21:24:24 IPA Apache HTTPS certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 24 Expires: 2027-11-14 22:29:32 IPA LDAP certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 25 Expires: 2027-11-14 22:29:44 IPA KDC certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 23 Expires: 2027-11-14 22:29:23 Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 29 Expires: 2091-02-13 22:24:04 Renewed Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 16 Expires: 2027-11-03 21:26:07 Renewed Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 17 Expires: 2027-11-03 21:26:08 Renewed Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 18 Expires: 2027-11-03 21:26:09 [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' The ipa-cert-fix command failed. [root@master ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20191204141310': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=IPA RA,O=IPA.TEST expires: 2027-11-03 17:24:24 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20191204141340': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Audit,O=IPA.TEST expires: 2027-11-03 17:24:22 EDT key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141341': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=OCSP Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:15 EDT eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141342': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Subsystem,O=IPA.TEST expires: 2027-11-03 17:24:23 EDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141343': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=Certificate Authority,O=IPA.TEST expires: 2039-12-04 09:12:31 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141344': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-03 17:24:34 EDT dns: master.ipa.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141408': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nick name='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname= 'Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:44 EST dns: master.ipa.test principal name: ldap/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20191204141434': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',p infile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:32 EST dns: master.ipa.test principal name: HTTP/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20191204141448': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2027-11-14 17:29:23 EST principal name: krbtgt/IPA.TEST@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Version-Release number of selected component (if applicable): [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.1 (Ootpa) [root@master ~]# rpm -qa|grep ipa python3-libipa_hbac-2.2.0-19.el8.x86_64 python3-iniparse-0.4-31.el8.noarch python3-ipaclient-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch libipa_hbac-2.2.0-19.el8.x86_64 ipa-server-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch python3-ipalib-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch ipa-client-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 ipa-server-trust-ad-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 sssd-ipa-2.2.0-19.el8.x86_64 redhat-logos-ipa-81.1-1.el8.noarch python3-ipaserver-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch ipa-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch ipa-server-dns-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch ipa-client-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch # ipa-cert-fix --version 4.8.0 # ipa-cert-fix -v ipapython.admintool: DEBUG: Not logging to a file ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.installutils: DEBUG: httpd is configured ipaserver.install.installutils: DEBUG: kadmin is configured ipaserver.install.installutils: DEBUG: dirsrv is configured ipaserver.install.installutils: DEBUG: pki-tomcatd is configured ipaserver.install.installutils: DEBUG: install is not configured ipaserver.install.installutils: DEBUG: krb5kdc is configured ipaserver.install.installutils: DEBUG: named is configured ipaserver.install.installutils: DEBUG: filestore has files ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS] --cert <Cert ID> Fix specified system cert (default: all certs). --extra-cert <Serial> Also renew cert with given serial number. --agent-uid <String> UID of Dogtag agent user --ldapi-socket <Path> Path to DS LDAPI socket --ldap-url <URL> LDAP URL (mutually exclusive to --ldapi-socket) -i, --instance <instance ID> Instance ID (default: pki-tomcat). -p, --port <port number> Secure port number (default: 8443). -v, --verbose Run in verbose mode. --debug Run in debug mode. --help Show help message. ipapython.ipautil: DEBUG: stderr= ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_139775471691928 ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=IPA.TEST ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f2002ce5a58> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDpzCCAg+gAwIBAgIBHTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz MjIyNDA0WhgPMjA5MTAyMTMyMjI0MDRaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC4mD9RpmAgwr+7o2PiIsIqAySEiFWQI2/H3ZVPwTElKgPLZrxIfnCm UKB2N586BrOjjU45eAYcHJZMHoLjELsUpHhfdqPrjACJqWiZjS4beWnMaxmJpVwv nGMaSjA4l/Fk6CEC8vxZHFhkNKJIQzB0PNrQKUZSeLr8RQOcGyUvZtRsicnIcbj3 OK4d5rhkL8ajiroqmyWhwRHlapmN82EgEm48Fa6GOyLh0tHYd67kJSmhjfUsUzso IzSi4iMHbBgDRswKWRSQfV3OPEdakHl01vSMo2TBQqxEERoZw6bXnU5pLKKHFa3+ 1+LgRKMRbg8GvPBa+lD4MWmS0beHjxx3AgMBAAGjSDBGMB8GA1UdIwQYMBaAFJfL G1HRhskWb2mHp7o0OGpstD47MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB /wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAsboOlOYSI4GQNK0akiRn2cvBPFxx 9t/KvtcWfsQKhgM+vOvd1Zr0qytd2o1gAmc/I+l0tVElnBbmEHCqSBoYy7CKOqwQ frn2Sa8l1OkyP9dtn2rSMAEWdniEu7zPpj70+yT0b5c+f5tE9ZRPPw3SgkCd3n02 IJzBtdTCUt2kfk3RobQABSBfh6h1g4unwt/TWGHqPqP6fm2zamdzY4LVisYYTxd/ Q9GBDy6N0cnEPyGUhEIFLka9A7HNsL8hy5pd3HTYJK7d9zm57NZlqISy66v7vHwI 3p7dggI/lR/X2JOZIDItgXybsTPzkRwBtmTTzPF+8DBWQ8Y55dN5HRhT6M32aJ3B nsv784zK/0FOieJJ4ajpKbudlZohVJTKQeoEMozovT9h9q3HE8lDkGP2xukFbHvl B1jiX9JdMSTzSu4TWNkNwTurMv9Otuq0CfzQ4H4GNh3XVfr8totgq1my+zokTjzD l0jqJzkOQDWV+gjB8jMxWQfiK9/76JYYgZd5 -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID3jCCAkagAwIBAgIBHDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy MjQyM1oXDTI3MTEwMzIxMjQyM1owKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AOYxzBk0FKr6yHdrQNo41A4PTvfOs6QRHPvVau+c5lCc9Q6ySfl27vgxnckdJQsF wiMLA1/6Bh0o9O/wYHzKRNvDZl3b4+YhZyHLnSNh5LYwkPp9V8F2zPGcEq935nDd /nt5FsBQLv1hNOvjSdhHwFYPg5iPrFiNDI/ROwALzJ2m3sbtt1ACMaHCHqhQdQEx 1DFWbn6lh2+rsPSf+VaG8uYVINGuF6eXjiwQoSqwh2quwe4vJzVpmZBxigkiTYWj /vz8IraXRceUTamV3k9iOMJoaHkW2OyL6OA8ho4UYzYLNFEfzfXzWPK5nxeqT23n epMIRjD0LHDk4eyybCLumAUCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSXyxtR0YbJ Fm9ph6e6NDhqbLQ+OzA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6 Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0l BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBABF5frmGQLnKd+Lk8SSK K/Duua4VfE73YawMjHcmjihRFQi100zDyXvhqUyde/VTJ6R5J9YKyHyysfwTb+GT Zy98EA791j1EONejHBuu6OOXK0AEWxJcHu/Hj9cuRH4VkY7wwgZpEp78sK+LQs0H DwUwAM9eDLCMPn5BBswMMjXgbqIMye6Vr96eNOxXHkKtzK2vPJv1drWQBTv6Ji6h o2KhHmzqn66h19VS9cojH067UY8YhZa0k+/huf/abeHrbcTxNiwyBk/wswW7fW5G o1dJISTvYvAb8wfdCFUe1c5sH5t+1DOsFYT9k6l/zxwz4/ysrz+ak0l/a0+ykNsM kOXyJ8hQosvyJhH2fUDi7X1lC1IuLyO6wZ5knfU7tODdj6DbSHKHyvSFaD9ghSxO aeDygw6x1LkAasl1tDxPdH9sP+m1+j58JHaRuYoobKoj39TFRyypGvGBEFgi75YD QqU6Adi4b1LaNnm/iKDfV/jnnLEBN8USWGh6xOj/trYvhg== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID4TCCAkmgAwIBAgIBHjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy MjQxNVoXDTI3MTEwMzIxMjQxNVowLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAo/XaoCSJ81ppekpnlZEHk7wGwweWI7PpTEZE/YU7Zv2trXS0Ju1sXTYK9M54 DUNRYMtdL2jO2VDhrIopXTIc+rT1+dyNSbYt2wjDeuP7qatsmiuyDSIwRIpkU9Ic QQl1yzufNwAwK+f2mzwECSHppdwja57LIgjQw1ItVNU75JFxFQyQZOrqurULSuDL vIOGcc7cSf71gol/Cl/1xQVrJ4xOJoLx+NaOvdCC74+/hsareLmC3jOzI4daw/0L mJWyDNDZZ7LBO+vM8Dh3Z+MGoBwb0IHLB50WqUA6XZzDEK9PUjVICpevQN3fw7Q9 bCN59CEoxWV7uPO847xi+LaiAwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJfLG1HR hskWb2mHp7o0OGpstD47MA8GCSsGAQUFBzABBQQCBQAwOgYIKwYBBQUHAQEELjAs MCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwEwYD VR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggGBANKVSZlUZoOGE70c VPj1TaH8iVmEGNYIPhXWJbkQyZtkA5DkF/EXXbtbAMSdK41hAEi3JMJL+18NVaZr ikgOnfADS2Cw3HOh9y97ogBSUGskm774VXzTrHNTBCXQL06vsFGN90zoXTppA2m9 NouwipHdyMYdkK5PWIeX++GjKBkJ7YlzynbTaUaIQrZ7nM34ZH8sQmdjsxsPgF5G it5KNQRZiLdpALIyHfmQjPU7iNpBFS1N9IQNZ/MK0ECinhFHjFBmKYqQIysubyxr yfkYoWtKMPG/4aQO6ljvdAvRS2g0ns/dulCExzIMZPw3laRi6GUI2ejCIjgUDktm D5rn5KTQvNqMdevLvEY+g/r8rgwVzUGbedoILzzdFEs0POkMgh/WwEFTSNFBbtyI gP6Va3zQPuII8EASKWAc03d5lBD4lDGz+pUl3IT7IPqGgx6cFfhzeWIvN1FKX6I2 NFnTMW4qomom78U4bPe08/j/Z50HURSgUgstJHe1OchbY4eWEg== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDpjCCAg6gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy MjQyMloXDTI3MTEwMzIxMjQyMlowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulsA fyMFGpAw9Q5izl4gVwheybTa/oDqOOjgh85UDIdihw9rqrZ4GaxVOiUbmi1RkY88 5eC4eNcUF535IbVfrOYavaFi5Npgdz7J6rlEflMiO4eaO4FEuGxnkpv0qZ+wf+DQ 1GiFAjDIvqpc4rTgsLPze+JOJGUc7aKKwhEohbYR4gDk7NwygZtJLzyY3OM0Kjcf mODlYhpyFbirfNRzGyzyGQoOj3HU3JMD09OziB8tMhgtQdYWAIjUm4UkPhOjWNoy 0Uqai7acTMM0TcXhUZob7kUZkv/QxEtj/h6c+rr+hIiHLZCYl8XfpoE6V7HoYNVq EBYDv3BqBTB5gUZrWwIDAQABo1IwUDAfBgNVHSMEGDAWgBSXyxtR0YbJFm9ph6e6 NDhqbLQ+OzAdBgNVHQ4EFgQUP0Xr87z2PdCjqwCgcxgIoQmWGokwDgYDVR0PAQH/ BAQDAgbAMA0GCSqGSIb3DQEBCwUAA4IBgQAy1fKqysM1UhoK0WmqnaVpX9S/mAGc ieR9ZkqRJgnmNhK4h6vVILaMeY7qHafMR4TDB8Ch36jOOAKEL65tH8sdZOrg7S+a c6s9C0EPNM3YSHRvwKfbn5o0AvE7xfHN7Q8EAe/aGvW5K2Dr2USLlBdKxI04HRsQ lEIjE/kIJFpbTtONO23L5IRq18O5LCpZDjj9IrBY2v5jRTVEj5QZP+O5WIW08cUl 37JUFYUDyd17iOPZm+AYelQ0vWUseTKlQyFGeX/UKESybYE0cgCbt89eYawhbVUZ 54kPOIHGaiAppNbE2cd/rdopshy2QddA99zZGmIkSKMP/g4lMePmY3EXTOCV+xl4 TulKr8XcASZfEjD1TIthH8MjEjm/tEDbfNj5dHZKUdGg9+TiyxhjwbfdZl0K+Dh2 AUv1x3HH0+MVjGCfZpjQGG269Cc9oUZdqnLHx42/icbZ5a14sOs7n6IsSNeIEAeE iukk7iKDxHCytBNx3FkmvZOoloREmE9gLaI= -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIFDDCCA3SgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy Mjk0NFoXDTI3MTExNDIyMjk0NFowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAOAFNDpoWxUF0/EOmKGws7tGrTLQkvrfz/37KWIjoN+kJVkHv+hD8o/ZBJN7 QXUYrnU7woEzyu/lCQpiikzo55kF2Vq6VLY3KznQJAz5G/ph3VI7BnzoBtfJinso nor7RgbliSZyBuGTDhXBFIamDKBqSMahjjuLdlCoa9BHcek+vtXVKVe+lXz5Qb/9 nS8nKtvc1LZzX/nfrMkxGXzT/X3x2DDqsL2rZOHh8KscWrkgLp3hs+TL9gps+PMq sRdB8YtmaUUZcDJ6g1Q2fEwWAhCDfL6QNQdYFCYo2ObNjFZDvzaXGsUSVN5GYfwI NruwqpxIJWlBcDu9Vdi/1cld75UCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFJfL G1HRhskWb2mHp7o0OGpstD47MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHQYDVR0OBBYEFDGSeeKRlOjqf8olA9SkU3ChzYd8MIGIBgNVHREEgYAwfoIP bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA 5HY3QvTiDdNFvGrAoqwfdPnkTxKTHCGsX7I0Ouq8HpellClEKD4rB8uhEYq160J/ NrnwVXiVyoHcix4UaXWtL0f8nqIYtD+EWk+0fLLwBWjFyuh4+6moDFfO9cpiaND8 e1vu8lISIvwfv/uxxhRe0XVR4rPZ32HFpBSpDUXYS8CoF6atE1HwQmuokPX5bsoy bQMocYvUsSTSO4spYi9guB4xNnPPtp316FjCwt/OezjUlpsyUUJTlNsmTyWJwfVz TNX9mXo/29hKY90d2oo3ywM2P3A8smnVSjFG2fiV7w9wr7GNonw7iB/p6wMvs8q0 +VPvX+ssLhSOvAwOrcBzSzvid09xGQsRDBnPX4oRCEyJmlL9G1OXg/FgNgaStEzR dzSI8Vjx0+bEzTeRzkaUFQw5xE79VyCGu8F+AYi1PGrqw+7A3KPIPj9b/m7GmIZX +lnkSHMMETlfIV8p8IeqmKDktrPUhwrY2zbYZm1/rcBJ97fSB18jNP6ejWYd152u -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 28 Expires: 2027-11-03 21:24:23 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 30 Expires: 2027-11-03 21:24:15 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 26 Expires: 2027-11-03 21:24:22 IPA IPA RA certificate: Subject: CN=IPA RA,O=IPA.TEST Serial: 27 Expires: 2027-11-03 21:24:24 IPA Apache HTTPS certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 24 Expires: 2027-11-14 22:29:32 IPA LDAP certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 25 Expires: 2027-11-14 22:29:44 IPA KDC certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 23 Expires: 2027-11-14 22:29:23 Enter "yes" to proceed: yes Proceeding. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket', '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '27', '--extra-cert', '24', '--extra-cert', '25', '--extra-cert', '23'] ipapython.ipautil: DEBUG: Process finished, return code=1 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat INFO: Loading subsystem: ca INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing', 'ca_audit_signing'] INFO: Renewing the following additional certs: ['27', '24', '25', '23'] INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Starting the instance INFO: Sleeping for 10 seconds to allow server time to start... INFO: Requesting new cert for subsystem INFO: Getting subsystem cert info for ca from CS.cfg INFO: Getting subsystem cert info for ca from NSS database INFO: Trying to setup a secure connection to CA subsystem. INFO: Secure connection with CA is established. INFO: Placing cert creation request for serial: 28 INFO: Stopping the instance INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in review_request r = self.connection.get(url, headers=self.headers) File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper return func(self, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get r.raise_for_status() File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://master.ipa.test:8443/ca/rest/agent/certrequests/39 During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in <module> cli.execute(sys.argv) File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142, in execute super(PKIServerCLI, self).execute(args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in execute username=agent_uid, password=agent_pass, secure_port=port) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in cert_create PKIServer.renew_certificate(connection, new_cert_file, serial) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in renew_certificate ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in enroll_cert self.approve_request(request_id) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in approve_request request_id, cert_review_response, 'approve') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in _perform_action cert_review_response = self.review_request(request_id) File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler raise pki_exception pki.ForbiddenException: Authentication method not allowed. ERROR: Authentication method not allowed. Renewed Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 16 Expires: 2027-11-03 21:26:07 Renewed Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 17 Expires: 2027-11-03 21:26:08 Renewed Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 18 Expires: 2027-11-03 21:26:09 ipapython.admintool: DEBUG: File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 130, in run install_ipa_certs(subject_base, ca_subject_dn, extra_certs) File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 262, in install_ipa_certs cert = x509.load_certificate_from_file(cert_path) File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in load_certificate_from_file with open(filename, mode='rb') as f: ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' ipapython.admintool: ERROR: The ipa-cert-fix command failed. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: certs should get renewed. Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1779984
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5579 - Issue assigned to ftweedal
master:
ipa-4-9:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.