No, CA component is not running, and seems not much activity under /var/log/pki/pki-tomcat. Maybe these can be of interest:
[1] selftests.log 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [2] catalina.log WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property Flo, if I can suspect on this .... I recall before incident this one expires on 2036, now it's 2038 status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2038-10-22 18:15:48 UTC track: yes auto-renew: yes And URI was hostname, not ipa-ca. # certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep URI URI: "http://ipa-ca.domain.com/ca/ocsp" Is there way to "manually" revert change or renew a cert? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org