[Freeipa-users] Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly. Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website. As it was expired, Dogtag is OOS, either. Right now, those services are not running, --- pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED --- This is /var/log/pki/pki-tomcat/ca/selftests.log --------------------- 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peers Certificate has expired. 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! ----------------- And /var/log/pki/pki-tomcat/ca/debug ------------ [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. ----------------- Output from certutil: ------- Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK" Validity: Not Before: Tue Nov 21 08:43:11 2017 Not After : Mon Nov 11 08:43:11 2019 Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK" ---------- This certificate was expired, so here comes the point, 1. Why ipa cert-mon did monitor and renew it? So weired. getcert list | grep tomcat -i does not return this certificate. 2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA renewal master' 1) I reset the clock during the valid period, and restart services. it failed. 2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm not sure it's doable and don't know how. Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4. Thanks a lot.