Hello,
I think this is everything (domain name changed to protect the guilty!):
I pulled the same on the replica, which appears to be playing up too in a similar fashion.
I did just notice the date on the replica is out, I never set it back when I was trying to get the cert to renew.
Let me know if you need anything else.
Thanks,
Thomas
On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via FreeIPA-users wrote:
> Hello all,
> I had an issue a short while ago with a replica which turned out to be an
> expired certificate which I renewed and all seemed good.
>
> Seemed...
>
> It now appears that although the certificate renewed as seen by getcert
> -list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki
> services won't start unless I set the date to before the certificate
> expired, and even then sometimes the httpd error_log shows:
> Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off"
> to nss.conf so the server can start until the problem can be resolved.
> and the service fails to start.
>
Hi Thomas,
Can you please show `getcert list` output on the server in question,
as well as the output of
certutil -d /etc/httpd/alias -L Server-Cert
and
certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
And Certmonger journal output. And pki debug log
/var/log/pki/pki-tomcat/ca/debug.
It is strange that `getcert list' shows an up to date certificate
while the actual certificate that is being tracked is expired...
Thanks,
Fraser
> I've tried resubmitting the certificate, and it doesn't seem to throw an
> error, but it doesn't update /alias either.
> Trying to access the server via the web page shows the old certificate
> still in use.
> I see the same certificate error with the replica server, which was freshly
> rebuilt and added last week.
> I've doubtless dug further into the hole trying to troubleshoot this, so I
> probably need to start from the beginning again, and a pointer in the right
> direction would be a great help!
>
> A getcert list shows all the certificates expiry dates well into the future.
>
> How can I get the certs back in sync? I've found a few guides and most seem
> to be for earlier versions, and I'm not sure if they're still current.
>
> I can post whatever logs you think will help, I'm afraid I'm not familiar
> enough with them all to tell which are the most relevant. Is there a guide
> for the logs?
>
> Thanks for any help you can give,
>
> Thomas
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/