On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
> After some fiddling with dates some more I seem to have the HTTPD cert
> in sync, however it appears the cert signing cert is expired.
>
> named also says it's starting, but doesn't seem to want to respond.
>
> I don't have time to dig into it more tonight, but let me know what
> other information or tests I can run and I'll get them posted tomorrow.
>
> Thanks all.
>
> Thomas
>
> On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <xrs444@xrs444.net
> <mailto:xrs444@xrs444.net>> wrote:
>
>     Hello,
>
>     I think this is everything (domain name changed to protect the
>     guilty!):
>
>     https://pastebin.com/bF1KR7VJ
>
Hi Thomas,

in the provided pastebin, the error 'certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format' can be easily explained: there is a typo in the
directory path.
You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>
(note the pki-tomcat instead of pki-tomcat*d*).

You mention that the cert signing cert is expired, can you clarify which
certificate this is? Please provide the subject name, certificate
nickname and location.

Flo
>     I pulled the same on the replica, which appears to be playing up too
>     in a  similar fashion.
>
>     I did just notice the date on the replica is out, I never set it
>     back when I was trying to get the cert to renew.
>
>     Let me know if you need anything else.
>
>     Thanks,
>
>     Thomas
>
>     On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal@redhat.com
>     <mailto:ftweedal@redhat.com>> wrote:
>
>         On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via
>         FreeIPA-users wrote:
>          > Hello all,
>          > I had an issue a short while ago with a replica which turned
>         out to be an
>          > expired certificate which I renewed and all seemed good.
>          >
>          > Seemed...
>          >
>          > It now appears that although the certificate renewed as seen
>         by getcert
>          > -list, it didn't update /etc/httpd/alias and so the httpd and
>         tomcat-pki
>          > services won't start unless I set the date to before the
>         certificate
>          > expired, and even then sometimes the httpd error_log shows:
>          > Unable to verify certificate 'Server-Cert'. Add
>         "NSSEnforceValidCerts off"
>          > to nss.conf so the server can start until the problem can be
>         resolved.
>          > and the service fails to start.
>          >
>         Hi Thomas,
>
>         Can you please show `getcert list` output on the server in question,
>         as well as the output of
>
>              certutil -d /etc/httpd/alias -L Server-Cert
>
>         and
>
>              certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
>
>         for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
>
>         And Certmonger journal output.  And pki debug log
>         /var/log/pki/pki-tomcat/ca/debug.
>
>         It is strange that `getcert list' shows an up to date certificate
>         while the actual certificate that is being tracked is expired...
>
>         Thanks,
>         Fraser
>
>          > I've tried resubmitting the certificate, and it doesn't seem
>         to throw an
>          > error, but it doesn't update /alias either.
>          > Trying to access the server via the web page shows the old
>         certificate
>          > still in use.
>          > I see the same certificate error with the replica server,
>         which was freshly
>          > rebuilt and added last week.
>          > I've doubtless dug further into the hole trying to
>         troubleshoot this, so I
>          > probably need to start from the beginning again, and a
>         pointer in the right
>          > direction would be a great help!
>          >
>          > A getcert list shows all the certificates expiry dates well
>         into the future.
>          >
>          > How can I get the certs back in sync? I've found a few guides
>         and most seem
>          > to be for earlier versions, and I'm not sure if they're still
>         current.
>          >
>          > I can post whatever logs you think will help, I'm afraid I'm
>         not familiar
>          > enough with them all to tell which are the most relevant. Is
>         there a guide
>          > for the logs?
>          >
>          > Thanks for any help you can give,
>          >
>          > Thomas
>
>          > _______________________________________________
>          > FreeIPA-users mailing list --
>         freeipa-users@lists.fedorahosted.org
>         <mailto:freeipa-users@lists.fedorahosted.org>
>          > To unsubscribe send an email to
>         freeipa-users-leave@lists.fedorahosted.org
>         <mailto:freeipa-users-leave@lists.fedorahosted.org>
>          > Fedora Code of Conduct:
>         https://getfedora.org/code-of-conduct.html
>          > List Guidelines:
>         https://fedoraproject.org/wiki/Mailing_list_guidelines
>          > List Archives:
>         https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/
>