Hi Flo, I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and /var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936) at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053) at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803) at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402) at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1617) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.cert.CertificateException: Invalid certificate: (-8181) Peer's Certificate has expired. at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method) at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842) ... 44 more Invalid class name repositorytop at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1371) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1617) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ############ end of debug ############## ## I worry now that I am not making progress with cert renewal. With stopped ntp and back in time /var/log/ipa/renew.log reads: 2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Initializing principal host/ca-ldap01.domain....@domain.com using keytab /etc/krb5.keytab 2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-M09nld/ccache 2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Attempt 1/1: success 2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-08-07T17:12:35Z 4375 MainThread ipa DEBUG Could not connect to the Directory Server on ca-ldap01.domain.com: Insufficient access: Invalid credentials ## OKAY, so need to enable NTPD and back in time again, now renew.log reads: 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing all plugin modules in ipaserver.plugins... 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.hbac is not a valid plugin module 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.otp is not a valid plugin module 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Starting external process 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG args=klist -V 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Process finished, return code=0 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stdout=Kerberos 5 version 1.14.1 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stderr= 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module ipaserver.plugins.rabase 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module ipaserver.plugins.sudo 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.sudo is not a valid plugin module 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.virtual is not a valid plugin module 2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module ipaserver.plugins.xmlserver 2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Initializing principal host/ca-ldap01.domain....@domain.com using keytab /etc/krb5.keytab 2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-5bCOl7/ccache 2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Attempt 1/1: success 2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://ca-ldap01.domain.com:389 from SchemaCache 2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ca-ldap01.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x5a69320> 2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Starting external process 2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG args=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -vv 2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Process finished, return code=2 2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stdout= 2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stderr=* About to connect() to ca-ldap01.domain.com port 8080 (#0) * Trying 10.211.9.58... * Connected to ca-ldap01.domain.com (10.211.9.58) port 8080 (#0) > GET > /ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true > HTTP/1.1 Host: ca-ldap01.domain.com:8080 Accept: */* < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=utf-8 < Content-Language: en < Content-Length: 995 < Date: Thu, 25 Oct 2018 05:42:30 GMT < * Connection #0 to host ca-ldap01.domain.com left intact GET "http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true" code = 0 code_text = "No error" results = "<html><head><title>Apache Tomcat/7.0.69 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body ></html>" Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and body able.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body> ^ Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and html Entity: line 1: parser error : Premature end of data in tag body line 1 Entity: line 1: parser error : Premature end of data in tag html line 1 Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and body able.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body> ^ ## And status of certmonger service reads: Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: GET http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: <html><head><title>Apache Tomcat/7.0.69 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body></html> Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-ca-renew-agent-submit[6884]: dogtag-ipa-renew-agent returned 2 Thanks in advance for any sugestion on next step. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org