No, CA component is not running, and seems not much activity under
/var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
SystemCertsVerification: system certs verification failure: Certificate
ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's
Certificate has expired.
0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
[2] catalina.log
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did
not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a
matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not
find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property
Flo, if I can suspect on this .... I recall before incident this one expires on
2036, now it's 2038
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2038-10-22 18:15:48 UTC
track: yes
auto-renew: yes
And URI was hostname, not ipa-ca.
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' |
grep URI
URI: "http://ipa-ca.domain.com/ca/ocsp";
Is there way to "manually" revert change or renew a cert?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
