Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node
was expired unexpectedly.
Based on
https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is
for HTTS( pki-tomcat), AKA Dogtag website.
As it was expired, Dogtag is OOS, either.
Right now, those services are not running,
---
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
---
This is /var/log/pki/pki-tomcat/ca/selftests.log
---------------------
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peers Certificate has expired.
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
-----------------
And /var/log/pki/pki-tomcat/ca/debug
------------
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname():
calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname()
failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peer's Certificate has expired.
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed:
java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate:
(-8181) Peer's Certificate has expired.
-----------------
Output from certutil:
-------
Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK"
Validity:
Not Before: Tue Nov 21 08:43:11 2017
Not After : Mon Nov 11 08:43:11 2019
Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK"
----------
This certificate was expired, so here comes the point,
1. Why ipa cert-mon did monitor and renew it? So weired.
getcert list | grep tomcat -i
does not return this certificate.
2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA
renewal master'
1) I reset the clock during the valid period, and restart services. it failed.
2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm
not sure it's doable and don't know how.
Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4.
Thanks a lot.