I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work.
getcert list shows all certificates are well but this one no: Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate?