Hi, "does it mean that they were replaced with externally-signed server certificates using ipa-server-certinstall?" yes , I replaced with externally-signed server certificates using certutil less /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log 2022-12-13 08:18:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 08:23:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 08:28:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:33:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 08:33:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 08:38:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 08:43:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 08:48:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca 2022-12-13 08:48:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:53:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 08:53:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 08:53:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 08:53:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 08:53:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 08:58:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CRLIssuingPoint: Updating MasterCRL 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit: Signing Certificate 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CRLReposiotry: Updating CRL issuing point record 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: Getting crl publishing rules 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapXCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCaCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: FileCrlRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: true 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: type: crl 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: predicate: null 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapUserCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCrlRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing CRL 130 to MasterCRL 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: Getting crl publishing rules 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapXCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCaCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: FileCrlRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: true 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: type: crl 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: predicate: null 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapUserCertRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCrlRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing rules: 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: - rule: FileCrlRule 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: mapper: NoMap 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing to CN=Certificate Authority,O=WINGON.HK 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: - publisher: FileBaseCRLPublisher 2022-12-13 09:00:00 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Published CRL 2022-12-13 09:03:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca 2022-12-13 09:03:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 09:03:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 09:03:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 09:03:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:03:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 09:08:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 09:13:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter 2022-12-13 09:13:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges 2022-12-13 09:13:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges 2022-12-13 09:13:31 [Timer-0] INFO: SessionTimer: checking security domain sessions 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID) 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-13 09:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED) 2022-12-13 09:18:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca
The debug log has no relevant error prompts _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue