Hello, 

I think this is everything (domain name changed to protect the guilty!): 

https://pastebin.com/bF1KR7VJ

I pulled the same on the replica, which appears to be playing up too in a  similar fashion. 

I did just notice the date on the replica is out, I never set it back when I was trying to get the cert to renew.

Let me know if you need anything else.

Thanks,

Thomas

On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal@redhat.com> wrote:
On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via FreeIPA-users wrote:
> Hello all,
> I had an issue a short while ago with a replica which turned out to be an
> expired certificate which I renewed and all seemed good.
>
> Seemed...
>
> It now appears that although the certificate renewed as seen by getcert
> -list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki
> services won't start unless I set the date to before the certificate
> expired, and even then sometimes the httpd error_log shows:
> Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off"
> to nss.conf so the server can start until the problem can be resolved.
> and the service fails to start.
>
Hi Thomas,

Can you please show `getcert list` output on the server in question,
as well as the output of

    certutil -d /etc/httpd/alias -L Server-Cert

and

    certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>

for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.

And Certmonger journal output.  And pki debug log
/var/log/pki/pki-tomcat/ca/debug.

It is strange that `getcert list' shows an up to date certificate
while the actual certificate that is being tracked is expired...

Thanks,
Fraser

> I've tried resubmitting the certificate, and it doesn't seem to throw an
> error, but it doesn't update /alias either.
> Trying to access the server via the web page shows the old certificate
> still in use.
> I see the same certificate error with the replica server, which was freshly
> rebuilt and added last week.
> I've doubtless dug further into the hole trying to troubleshoot this, so I
> probably need to start from the beginning again, and a pointer in the right
> direction would be a great help!
>
> A getcert list shows all the certificates expiry dates well into the future.
>
> How can I get the certs back in sync? I've found a few guides and most seem
> to be for earlier versions, and I'm not sure if they're still current.
>
> I can post whatever logs you think will help, I'm afraid I'm not familiar
> enough with them all to tell which are the most relevant. Is there a guide
> for the logs?
>
> Thanks for any help you can give,
>
> Thomas

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/