from CS.cfg
selftests.container.order.startup=SystemCertsVerification:critical, CAPresence:critical
More observations
the following appears in /var/lib/pki/pki-tomcat/logs/ca/selftest.log during the pki-server cert-fix failure
0.localhost-startStop-1 - [25/May/2022:05:13:11 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certutils.verifySystemCertValidityByNickname: faliled: nickname: ocspSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname: failed: nickname: ocspSigningCert cert-pki-ca
I'm nearly out of ideas at the moment, still applying the following logic:
Since it fails to validate the expired ocsp certificate, let's return in time to the moment it was still valid and it should probably do.
It was expired on Apr, 25th i rewind to Apr,23th and rerun ipa-cert-fix.
However
it fails on password update for some reason.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket /var/run/slapd-...socket --agent-uid ipara --cert subsystem --cert ca_ocsp_signing --extra-cert 268304408
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=Result: Operations error (1)
Additional info: Failed to update password
ERROR: Command '['ldappasswd', '-H', 'ldapi://%2Fvar%2Frun%2Fslapd....socket', '-Y', 'EXTERNAL', '-T', '/tmp/tmpArCc5k', 'uid=pkidbuser,ou=people,o=ipaca']' returned non-zero exit status 1
ipapython.ipautil: DEBUG: stderr=INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing']
INFO: Renewing the following additional certs: ['268304408']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 117, in run
run_cert_fix(certs, extra_certs)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 245, in run_cert_fix
ipautil.run(cmd, raiseonerr=True)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: CalledProcessError: Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-....socket --agent-uid ipara --cert subsystem --cert ca_ocsp_signing --extra-cert 268304408' returned non-zero exit status 1
ipapython.admintool: ERROR: Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-....socket --agent-uid ipara --cert subsystem --cert ca_ocsp_signing --extra-cert 268304408' returned non-zero exit status 1
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
When the date is actual, there's no password update issue.
Probably there's some workaround for this?
Otherwise - is there any way to migrate the directory in the existing state to RHEL8/Whatever recent IPA version?
Thank you