Hello,
I think this is everything (domain name changed to protect the guilty!):
https://pastebin.com/bF1KR7VJ
I pulled the same on the replica, which appears to be playing up too in a
similar fashion.
I did just notice the date on the replica is out, I never set it back when
I was trying to get the cert to renew.
Let me know if you need anything else.
Thanks,
Thomas
On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via
FreeIPA-users wrote:
> Hello all,
> I had an issue a short while ago with a replica which turned out to be an
> expired certificate which I renewed and all seemed good.
>
> Seemed...
>
> It now appears that although the certificate renewed as seen by getcert
> -list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki
> services won't start unless I set the date to before the certificate
> expired, and even then sometimes the httpd error_log shows:
> Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts
off"
> to nss.conf so the server can start until the problem can be resolved.
> and the service fails to start.
>
Hi Thomas,
Can you please show `getcert list` output on the server in question,
as well as the output of
certutil -d /etc/httpd/alias -L Server-Cert
and
certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
And Certmonger journal output. And pki debug log
/var/log/pki/pki-tomcat/ca/debug.
It is strange that `getcert list' shows an up to date certificate
while the actual certificate that is being tracked is expired...
Thanks,
Fraser
> I've tried resubmitting the certificate, and it doesn't seem to throw an
> error, but it doesn't update /alias either.
> Trying to access the server via the web page shows the old certificate
> still in use.
> I see the same certificate error with the replica server, which was
freshly
> rebuilt and added last week.
> I've doubtless dug further into the hole trying to troubleshoot this, so
I
> probably need to start from the beginning again, and a pointer in the
right
> direction would be a great help!
>
> A getcert list shows all the certificates expiry dates well into the
future.
>
> How can I get the certs back in sync? I've found a few guides and most
seem
> to be for earlier versions, and I'm not sure if they're still current.
>
> I can post whatever logs you think will help, I'm afraid I'm not familiar
> enough with them all to tell which are the most relevant. Is there a
guide
> for the logs?
>
> Thanks for any help you can give,
>
> Thomas
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...