john john via FreeIPA-users wrote: > What I did: > > 1. ipactl stop > 2. checkec that ntpd is stopped > 3. set date to March 8 > 4. manually start the IPA services: dirsrv, krb5kdc, httpd, pki-tomcatd: > systemctl start dirsrv@EXAMPLE-COM > systemctl start krb5kdc > systemctl start httpd > systemctl start pki-tomcatd@pki-tomcat > > pki-tomcatd does not start according by the "ipactl status" command: > pki-tomcatd Service: STOPPED > systemctl status pki-tomcatd@pki-tomcat shows that service is started but > with next logs: > > [email protected] - PKI Tomcat Server pki-tomcat > Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; > vendor preset: disabled) > Active: active (running) since Tue 2022-03-08 05:51:09 UTC; 1 months 27 > days ago > Process: 11336 ExecStop=/usr/libexec/tomcat/server stop (code=exited, > status=0/SUCCESS) > Process: 11369 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, > status=0/SUCCESS) > Main PID: 11493 (java) > CGroup: > /system.slice/system-pki\x2dtomcatd.slice/[email protected] > └─11493 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -DRESTEASY_LIB=/usr/share/java/resteasy-base > -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.security.manager > -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > org.apache.catalina.startup.Bootstrap start > > Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: Check > /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. > Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: To enable the > subsystem: > Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: pki-server > subsystem-enable -i pki-tomcat ca > Mar 08 05:51:46 freeipa.example.com server[11493]: > SSLAuthenticatorWithFallback: Stopping authenticators > Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web > application [/ca] appears to have started a thread named [LDAPConnThread-3 > ldaps://freeipa.example.com:389] but has failed to stop it. This is very > likely to create a memory leak. > Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web > application [/ca] appears to have started a thread named [LDAPConnThread-7 > ldaps://freeipa.example.com:389] but has failed to stop it. This is very > likely to create a memory leak. > Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web > application [/ca] appears to have started a thread named [authorityMonitor] > but has failed to stop it. This is very likely to create a memory leak. > Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web > application [/ca] appears to have started a thread named [LDAPConnThread-9 > ldaps://freeipa.example.com:389] but has failed to stop it. This is very > likely to create a memory leak. > Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web > application [/ca] appears to have started a thread named > [profileChangeMonitor] but has failed to stop it. This is very likely to > create a memory leak. > Mar 08 05:51:46 freeipa.example.com server[11493]: > SSLAuthenticatorWithFallback: Setting container > > In /var/log/pki/pki-tomcat/ca/selftests.log: > > 0.localhost-startStop-1 - [08/Mar/2022:05:49:24 UTC] [20] [1] > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: Initializing self test plugins: > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: loading all self test plugin logger parameters > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: loading all self test plugin instances > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: loading all self test plugin instance parameters > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: loading self test plugins in on-demand order > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: loading self test plugins in startup order > 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] > SelfTestSubsystem: Self test plugins have been successfully loaded! > 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] > SelfTestSubsystem: Running self test plugins specified to be executed at > startup: > 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] CAPresence: CA > is present > 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] > SystemCertsVerification: system certs verification failure: Certificate > ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's > Certificate has expired. > 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > certutil -L -d /etc/pki/pki-tomcat/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,Cu,Cu > Server-Cert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > > Problem with "Certificate ocspSigningCert cert-pki-ca". > How to fix it?
It means that the 8th won't work. As I mentioned, you need to find a date/time where all the certs are valid. Scanning the output by eye is difficult. I'd suggest: getcert list -d /etc/pki/pki-tomcat/alias | egrep "certificate:|expires" Use those expires to figure out when to back in time to. IIRC the 389 and Apache certs weren't renewed so they should still be valid in early March. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
