[Freeipa-users] Re: pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs

Fri, 20 Jun 2025 00:28:08 -0700 

Hi,

On Fri, Jun 20, 2025 at 12:06 AM Schrier, William (Contractor) <
wschr...@peacecorps.gov> wrote:

> > What directions did you follow from Flo's blog? It looks like on the CA
> > signing cert was updated. Is that all you did?
>
> Yes - at this stage only the CA signing cert was expired and updated.  I
> also had to update the CA cert chain because the certs for the sub-CA
> changed (even though the old one was still before expiration, I think the
> AD admins redid it at some point).  I used a combination of this post:
> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
> and this post and some comments back and forth with Florence on the post
> until we moved the discussion here:
> https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-authority-component-in-freeipa/
>
> >
> > I think at this point you should try running ipa-cert-fix.
>
> Unfortunately that fails:
>
> # ipa-cert-fix
> Failed to get Server-Cert
> The ipa-cert-fix command failed.
> # ipa-cert-fix --verbose
> ipapython.admintool: DEBUG: Not logging to a file
> ipalib.install.sysrestore: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> ipalib.install.sysrestore: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipaserver.install.installutils: DEBUG: httpd is configured
> ipaserver.install.installutils: DEBUG: kadmin is configured
> ipaserver.install.installutils: DEBUG: dirsrv is configured
> ipaserver.install.installutils: DEBUG: pki-tomcatd is configured
> ipaserver.install.installutils: DEBUG: install is not configured
> ipaserver.install.installutils: DEBUG: krb5kdc is configured
> ipaserver.install.installutils: DEBUG: ntpd is configured
> ipaserver.install.installutils: DEBUG: named is not configured
> ipaserver.install.installutils: DEBUG: filestore has files
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=pki-server cert-fix --help
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS]
>
>       --cert <Cert ID>            Fix specified system cert (default: all
> certs).
>       --extra-cert <Serial>       Also renew cert with given serial number.
>       --agent-uid <String>        UID of Dogtag agent user
>       --ldapi-socket <Path>       Path to DS LDAPI socket
>   -i, --instance <instance ID>    Instance ID (default: pki-tomcat).
>   -v, --verbose                   Run in verbose mode.
>       --debug                     Run in debug mode.
>       --help                      Show help message.
>
>
> ipapython.ipautil: DEBUG: stderr=
> ipalib.plugable: DEBUG: importing all plugin modules in
> ipaserver.plugins...
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.automember
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
> ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin
> module
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.certprofile
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.delegation
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.domainlevel
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
> ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.hbacsvcgroup
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.krbtpolicy
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
> ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.permission
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
> ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin
> module
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.radiusproxy
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.realmdomains
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.selfservice
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.selinuxusermap
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.serverrole
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.serverroles
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.servicedelegation
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
> ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
> ipalib.plugable: DEBUG: importing plugin module
> ipaserver.plugins.sudocmdgroup
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
> ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin
> module
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
> ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
> ipalib.backend: DEBUG: Created connection context.ldap2_139844927169552
> ipalib.install.sysrestore: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> ipalib.install.sysrestore: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject
> base in sysupgrade
> ipalib.install.sysrestore: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> ipalib.install.sysrestore: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> ipaserver.install.dsinstance: DEBUG: Found certificate subject base in
> sysupgrade: O=[DOMAIN]
> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-[DOMAIN].socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f302ea1ca70>
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n Server-Cert cert-pki-ca -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> [CENSORED]
> -----END CERTIFICATE-----
>
> ipapython.ipautil: DEBUG: stderr=
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n subsystemCert cert-pki-ca -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> [CENSORED]
> -----END CERTIFICATE-----
>
> ipapython.ipautil: DEBUG: stderr=
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n ocspSigningCert cert-pki-ca -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> [CENSORED]
> -----END CERTIFICATE-----
>
> ipapython.ipautil: DEBUG: stderr=
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-ca -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> [cENSORED]
> -----END CERTIFICATE-----
>
> ipapython.ipautil: DEBUG: stderr=
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n transportCert cert-pki-kra -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=255
> ipapython.ipautil: DEBUG: stdout=
> ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert:
> transportCert cert-pki-kra
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n storageCert cert-pki-kra -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=255
> ipapython.ipautil: DEBUG: stdout=
> ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert:
> storageCert cert-pki-kra
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d
> dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-kra -a -f
> /etc/pki/pki-tomcat/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=255
> ipapython.ipautil: DEBUG: stdout=
> ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert:
> auditSigningCert cert-pki-kra
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias
> -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
> ipapython.ipautil: DEBUG: Process finished, return code=255
> ipapython.ipautil: DEBUG: stdout=
> ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> ipapython.admintool: DEBUG:   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
>     return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
> 100, in run
>     certs, extra_certs = expired_certs(now)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
> 142, in expired_certs
>     return expired_dogtag_certs(now), expired_ipa_certs(now)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
> 191, in expired_ipa_certs
>     cert = db.get_cert('Server-Cert')
>   File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744,
> in get_cert
>     raise RuntimeError("Failed to get %s" % nickname)
>
> ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
> RuntimeError: Failed to get Server-Cert
> ipapython.admintool: ERROR: Failed to get Server-Cert
>

You are probably hitting https://pagure.io/freeipa/issue/8600 ipa-cert-fix
unable to fix certs no named 'Server-cert'
Unfortunately it was not fixed in RHEL 7.9.

But you can workaround it. ipa-cert-fix is essentially a wrapper calling
"pki-server cert-fix" and doing a few additional steps for http and ldap
server certs. Since your http and ldap server certs are not issued by PKI,
and are still valid, you can directly use pki-server cert-fix (you need to
have the directory server running):
pki-server cert-fix --ldapi-socket /run/slapd-YOUR-REALM.socket --agent-uid
ipara
ipactl restart

I strongly advise you to backup the NSS database /etc/pki/pki-tomcat/alias
first.
flo

ipapython.admintool: ERROR: The ipa-cert-fix command failed.
> #
>
> I assume this is failing because pki-tomcat is not running, but I'm not
> 100% sure on that... but if it is, it is a chicken-and-egg problem because
> pki-tomcat won't start because it doesn't like the certs...
>
> Alternatively it is failing because the certs are not actually named
> "Server-Cert"
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Freeipa-users] pki-tomcat... Schrier, William (Contractor) via FreeIPA-users
    • [Freeipa-users] Re: p... Florence Blanc-Renaud via FreeIPA-users
      • [Freeipa-users] R... Schrier, William (Contractor) via FreeIPA-users
        • [Freeipa-user... Rob Crittenden via FreeIPA-users
          • [Freeipa-... Schrier, William (Contractor) via FreeIPA-users
            • [Fre... Florence Blanc-Renaud via FreeIPA-users
              • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users
                • ... Rob Crittenden via FreeIPA-users
                • ... Schrier, William (Contractor) via FreeIPA-users

Reply via email to