Mike Mercier via FreeIPA-devel wrote:
> Hello,
>
> I have an old IPA 3 installation (master and two slaved) where the
> certificates are failing to renew.  If I recall correctly, the original
> installation for the CA used a self signed cert option.
>
> I am experiencing the following issues:
> 1. I am unable to run any ipa commands.
> 2. I am unable to start ipa on the two slaves
> See below for some output from the master.
>
> At a minimum, I would like to be able to retrieve the DNS records from
> the master.
>
> Any assistance would be greatly appreciated!
>
> Thanks,
> Mike
>
>
> [root@ipa1 ~]# date
> Thu Nov  5 08:37:03 EST 2020
> [root@ipa1 ~]# kinit admin
> Password for admin@example.com <mailto:admin@example.com>:
> [root@ipa1 ~]# ipa config-show
> ipa: ERROR: cert validation failed for "CN=ipa1.example.com
> <http://ipa1.example.com>,O=EXAMPLE.COM <http://EXAMPLE.COM>"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://service-3.example.com/ipa/xml, https://service-2.example.com/ipa/xml
> [root@ipa1 ~]# ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> DNS Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [root@ipa1 ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20121102143154':
> status: NEED_TO_SUBMIT
> ca-error: Server at https://ipa1.example.com/ipa/xml failed request,
> will retry: -504 (libcurl failed to execute the HTTP POST transaction. 
> Peer certificate cannot be authenticated with known CA certificates).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa1.example.com <http://ipa1.example.com>,O=EXAMPLE.COM
> <http://EXAMPLE.COM>
> expires: 2020-11-02 14:31:03 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> track: yes
> auto-renew: yes
> Request ID '20121102143233':
> status: NEED_TO_SUBMIT
> ca-error: Server at https://ipa1.example.com/ipa/xml failed request,
> will retry: -504 (libcurl failed to execute the HTTP POST transaction. 
> Peer certificate cannot be authenticated with known CA certificates).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa1.example.com <http://ipa1.example.com>,O=EXAMPLE.COM
> <http://EXAMPLE.COM>
> expires: 2020-11-02 14:31:03 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20121102143246':
> status: NEED_TO_SUBMIT
> ca-error: Server at https://ipa1.example.com/ipa/xml failed request,
> will retry: -504 (libcurl failed to execute the HTTP POST transaction. 
> Peer certificate cannot be authenticated with known CA certificates).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa1.example.com <http://ipa1.example.com>,O=EXAMPLE.COM
> <http://EXAMPLE.COM>
> expires: 2020-11-02 14:31:03 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130311204105':
> status: NEED_TO_SUBMIT
> ca-error: Error 60 connecting to
> https://ipa1.example.com:9443/ca/agent/ca/profileReview: Peer
> certificate cannot be authenticated with known CA certificates.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2020-11-02 14:31:03 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130311204106':
> status: NEED_TO_SUBMIT
> ca-error: Error 60 connecting to
> https://ipa1.example.com:9443/ca/agent/ca/profileReview: Peer
> certificate cannot be authenticated with known CA certificates.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2020-11-02 14:31:03 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes

I'd suggest you start with Flo's blog:

https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/

To get things to renew you'll need to stop ntpd/chronyd and move the
system back in time to when all the certificates are valid.

rob