[Freeipa-users] Expired certificates

[Ian Pilcher via FreeIPA-users]

After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:

WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521)
at java.lang.Thread.run(Thread.java:748)

getcert list shows a number of expired certificates (which is EXTREMELY
frustrating, as I thought that certmonger, which is running, was
supposed to take care of these renewals):


Request ID '20170306100908':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to 
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer 
certificate cannot be authenticated with given CA certificates.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=PENURIO.US
        subject: CN=CA Audit,O=PENURIO.US
        expires: 2017-06-19 16:27:30 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20170306100911':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to 
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer 
certificate cannot be authenticated with given CA certificates.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=PENURIO.US
        subject: CN=OCSP Subsystem,O=PENURIO.US
        expires: 2017-06-19 16:26:30 UTC
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20170306100914':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to 
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer 
certificate cannot be authenticated with given CA certificates.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=PENURIO.US
        subject: CN=CA Subsystem,O=PENURIO.US
        expires: 2017-06-19 16:26:30 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes

I have tried setting the clock back 48 hours, but certmonger is still
unable to renew the certificates -- still with the same error.

I have checked the certificates returned when connecting to
asterisk.penurio.us:8443, and they look correct.  The CA certificate
doesn't expire until 2033, and the server certificate (whose CN is
asterisk.penurio.us) expires in 2019.

--
========================================================================
Ian Pilcher                                         arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org