[Freeipa-users] Re: pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs

[Schrier, William (Contractor) via FreeIPA-users]

You are probably hitting https://pagure.io/freeipa/issue/8600 ipa-cert-fix 
unable to fix certs no named 'Server-cert'
Unfortunately it was not fixed in RHEL 7.9.

But you can workaround it. ipa-cert-fix is essentially a wrapper calling 
"pki-server cert-fix" and doing a few additional steps for http and ldap server 
certs. Since your http and ldap server certs are not issued by PKI, and are 
still valid, you can directly use pki-server cert-fix (you need to have the 
directory server running):
pki-server cert-fix --ldapi-socket /run/slapd-YOUR-REALM.socket --agent-uid 
ipara
ipactl restart

I strongly advise you to backup the NSS database /etc/pki/pki-tomcat/alias 
first.
flo

The “pki-server cert-fix” command ran successful (at least as far as I can 
tell)…

pki-tomcat now starts with an ipctl restart.  However, when I did the “getcert 
list” it was still showing all of the same things as before… mostly expired 
certs with just the one new one.  I decided to try restarting certmonger… and I 
think that is getting us a little closer… Now only two of the certs are showing 
the old date:

# getcert list | egrep "Request ID|status:|CA:|expires:|certificate:"
Request ID '20210201172746':
        status: CA_UNREACHABLE
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172819':
        status: CA_UNREACHABLE
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172820':
        status: CA_UNREACHABLE
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172821':
        status: CA_UNREACHABLE
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172822':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172823':
        status: CA_UNREACHABLE
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172924':
        status: CA_UNREACHABLE
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        expires: 2025-05-31 15:41:32 UTC

And I also noticed that certmonger is complaining about some stuff as well…

# systemctl status certmonger -l
● certmonger.service - Certificate monitoring and PKI enrollment
   Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor 
preset: disabled)
   Active: active (running) since Mon 2025-06-23 10:09:48 EDT; 4min 58s ago
Main PID: 28710 (certmonger)
   Memory: 1.8M
   CGroup: /system.slice/certmonger.service
           └─28710 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

Jun 23 10:10:38 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:38 [28710] Error 
58 connecting to https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem 
with the local SSL certificate.
Jun 23 10:10:47 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28806]: Forwarding 
request to dogtag-ipa-renew-agent
Jun 23 10:10:48 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28806]: 
dogtag-ipa-renew-agent returned 3
Jun 23 10:10:48 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:48 [28710] Error 
58 connecting to https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem 
with the local SSL certificate.
Jun 23 10:10:58 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28807]: Forwarding 
request to dogtag-ipa-renew-agent
Jun 23 10:10:58 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28807]: 
dogtag-ipa-renew-agent returned 3
Jun 23 10:10:58 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:58 [28710] Error 
58 connecting to https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem 
with the local SSL certificate.
Jun 23 10:11:08 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28803]: Forwarding 
request to dogtag-ipa-renew-agent
Jun 23 10:11:08 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28803]: 
dogtag-ipa-renew-agent returned 3
Jun 23 10:11:08 [HOSTNAME] certmonger[28710]: 2025-06-23 10:11:08 [28710] Error 
58 connecting to https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem 
with the local SSL certificate.


I tried a couple rounds of restarting both FreeIPA and certmonger to see if 
they were in a kind of stuck pattern with each other, but no luck.  I even 
reran the suggested “pki-server cert-fix” a second time, but seems it made no 
difference.

And despite pki-tomcat starting, we are still seeing the original problem when 
we try to login to the FreeIPA webUI – it gives the “Login failed due to an 
unknown reason.” error and will not login.



-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue