Rob, something did not work. These are the results (I hide some variables):

1.) # ipa-getcert list -d /etc/httpd/alias -n Server-Cert

Number of certificates and requests being tracked: 9. Request ID '20180405040333': status: CA_UNREACHABLE ca-error: Server at https://URL/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://URL:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes

2.) # ipa-getcert list -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert

Request ID '20170530221007': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE-TEST  ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd- EXAMPLE-TEST  /pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-TEST',nickname='Server-Cert'
CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-TEST   track: yes auto-renew: yes

3.) When I execute ipactl start, the output is:

Starting Directory Service
Failed to start Directory Service: Command '/bin/systemctl start dirsrv@EXAMPLE-TEST.service' returned non-zero exit status 1

These are some logs:

[05/Apr/2018:00:18:58.885890449 -0400] - INFO - slapd_extract_cert - CA CERT NAME: DSTRootCAX3
[05/Apr/2018:00:18:58.888428555 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE-TEST   IPA CA
[05/Apr/2018:00:18:58.896375172 -0400] - INFO - slapd_extract_cert - CA CERT NAME: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
[05/Apr/2018:00:18:58.897587438 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE-TEST   IPA CA
[05/Apr/2018:00:18:58.898932056 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE-TEST   IPA CA
[05/Apr/2018:00:18:58.901702162 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
[05/Apr/2018:00:18:58.951537472 -0400] - ERR - extractRSAKeysAndSubject - Failed extract cert with Server-Cert, (-8174-security library: bad database., 0).
[05/Apr/2018:00:18:58.952925282 -0400] - ERR - slapd_extract_key - Failed to extract keys for Server-Cert.

[05/Apr/2018:00:18:58.994602707 -0400] - WARN - Security Initialization - SSL alert: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[05/Apr/2018:00:18:58.996564966 -0400] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[05/Apr/2018:00:18:58.997430419 -0400] - ERR - Security Initialization - SSL failure: None of the cipher are valid
[05/Apr/2018:00:18:58.998238937 -0400] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed.  Disabling SSL2.
[05/Apr/2018:00:19:03.321481021 -0400] - ERR - attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.325672778 -0400] - ERR - attrcrypt_fetch_private_key - Can't get private key from cert Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.333172213 -0400] - ERR - dblayer_instance_start - Unable to initialize attrcrypt system for userRoot [05/Apr/2018:00:19:03.334020816 -0400] - ERR - attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.335482273 -0400] - ERR - attrcrypt_fetch_private_key - Can't get private key from cert Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.336284805 -0400] - ERR - dblayer_instance_start - Unable to initialize attrcrypt system for ipaca [05/Apr/2018:00:19:03.338113885 -0400] - ERR - attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.338954812 -0400] - ERR - attrcrypt_fetch_private_key - Can't get private key from cert Server-Cert: -8174 - security library: bad database. [05/Apr/2018:00:19:03.339889253 -0400] - ERR - dblayer_instance_start - Unable to initialize attrcrypt system for changelog [05/Apr/2018:00:19:03.341542720 -0400] - ERR - ldbm_back_start - Failed to start databases, err=-1 BDB0092 Unknown error: -1 [05/Apr/2018:00:19:03.342340539 -0400] - ERR - ldbm_back_start - Failed to allocate 261825363 byte dbcache. Please reduce the value of nsslapd-cache-autosize and restart the server. [05/Apr/2018:00:19:03.343291924 -0400] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database [05/Apr/2018:00:19:03.345030921 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [05/Apr/2018:00:19:03.348707349 -0400] - WARN - ldbm_instance_add_instance_entry_callback - ldbm instance userRoot already exists [05/Apr/2018:00:19:03.349536617 -0400] - ERR - ldbm_config_read_instance_entries - Failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config [05/Apr/2018:00:19:03.350296961 -0400] - ERR - ldbm_config_load_dse_info - failed to read instance entries [05/Apr/2018:00:19:03.351984088 -0400] - ERR - ldbm_back_start - Loading database configuration failed

The problem continues...


On Mon, May 6, 2019 at 10:52 PM Rob Crittenden <rcritten@redhat.com> wrote:
Adrian HY wrote:
> Rob, thanks for your response. 
>
> The output of both commands  is:
>
> certutil: could not find certificate named "Server-Cert":
> PR_FILE_NOT_FOUND_ERROR: File not found
>
> Any suggestions?

I guess we do a bit of cleanup when replacing the certs. Not a big deal.

So I wrote up instructions on how to do this but it assumes your CA is
up and functioning and I'm not 100% sure that is the case. If your 3rd
party certs are expired that would explain it. What I'd suggest is use
getcert list |grep expires and then look at the web and LDAP certs to
see when there is a time when all the certs are valid. Then I'd kill
ntpd and use date to go back in time. Manually restart the IPA services
(ipactl will restart ntpd and might reset the date unless it throws its
hands up because it's too far out-of-whack).

Confirm that the CA works using something like: ipa cert-show 1

IF you get any response back other than 503, like cert not found or a
display then things are working.

Then you can follow https://wordpress.com/post/rcritten.wordpress.com/190

Then bring back the date to today and restart ntpd.

Note that this won't remove the 3rd party certs or do any other sort of
cleanup. It might be considered a bit messy I suppose but those certs
shouldn't hurt anything. If you really want to clean them up once you're
sure things are functioning you can use certutil to remove them (after
backing up of course).

rob

>
> Thanks
>
> On Mon, May 6, 2019 at 3:54 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Adrian HY via FreeIPA-users wrote:
>     > Exactly, I ran ipa-server-certinstall and replaced both of the Apache
>     > and 389-ds certificates.  I buy the certificate but I can't renew it. 
>     >
>     > I imported the certificates like this:
>     >
>     > Root Certificate: 
>     >
>     > ipa-cacert-manage -n Godaddy -p PASS_DIRECTORY_MANAGER -t CT,,
>     install *gdroot-g2.crt*
>     > ipa-certupdate
>     >
>     > Intermediate certificates:
>     >
>     > ipa-cacert-manage -n Godaddy2 -p PASS_DIRECTORY_MANAGER -t CT,,
>     install *gd_bundle-g2-g1.crt 4dfc653ab0cf823d.crt*
>     > ipa-certupdate
>     >
>     > Finally, the certificate:
>     >
>     > ipa-server-certinstall --dirman-password=PASS_DIRECTORY_MANAGER
>     --pin=PASS_CERTIFICATE -w -d *cert.key gd_bundle-g2-g1.crt
>     4dfc653ab0cf823d.crt* --cert-name=Godaddy2
>     >
>     >
>     > My IPA version is 4.6.4, OS CentOS 7.6.
>
>     This is an absolutely perfect response to my question, thank you very
>     much :-)
>
>     Ok, so chances seem good that the original certs are still available.
>     Whether they are still valid is another question, they too could be
>     expired, but let's start there.
>
>     To check the certs and see if they are valid run:
>
>     # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>     certutil: certificate is valid
>
>     # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert
>     certutil: certificate is valid
>
>     If you're lucky both are still valid (I'm mostly concerned that they are
>     expired).
>
>     If they are valid then you can manually edit /etc/httpd/conf.d/nss.conf
>     and find the NSSNickname line. Set the value to Server-Cert. That will
>     fix Apache.
>
>     To fix 389-ds you'll need to use an ldapmodify:
>
>     # ldapmodify -x -D 'cn=directory manager' -W
>     <password prompt>
>     dn: cn=RSA,cn=encryption,cn=config
>     changetype: modify
>     replace: nsSSLPersonalitySSL
>     nsSSLPersonalitySSL: Server-Cert
>     <a blank line>
>     ^D
>
>     Run ipactl restart to restart the world and you should be back in
>     business.
>
>     On the other hand if the certs are expired there will be a bit more
>     digging around. Let's hope for best case scenario and tackle the other
>     bit if we have to.
>
>     rob
>
>
>     >
>     > Thanks.
>     >
>     >
>     >
>     >
>     >
>     > On Mon, May 6, 2019 at 2:53 PM Rob Crittenden <rcritten@redhat.com
>     <mailto:rcritten@redhat.com>
>     > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
>     >
>     >     Adrian HY via FreeIPA-users wrote:
>     >     > Hi Florence, thanks for your attention. 
>     >     >
>     >     > Yes, IPA was installed with self-signed CA, then I replaced the
>     >     > self-signed CA with 
>     >     > an externally-signed CA (godaddy certificate). The
>     certificate expired
>     >     > and I do not need it anymore. Hence, I need the self-signed CA.
>     >
>     >     We need to know exactly what it is you did.
>     >
>     >     On one hand it sounds like you ran ipa-server-certinstall and
>     replaced
>     >     one or both of the Apache and 389-ds certificates.
>     >
>     >     On the other it sounds like you go the IPA CA certificate
>     signed by an
>     >     external CA. Seems dubious to me that godaddy would do this
>     (at least
>     >     not without you ponying up major $$$).
>     >
>     >     It matters what you did so please be as detailed as possible.
>     >
>     >     The version of IPA would be handy to know as well.
>     >
>     >     rob
>     >
>     >     >
>     >     > Thanks. 
>     >     >
>     >     >
>     >     > On Mon, May 6, 2019 at 2:32 PM Florence Blanc-Renaud
>     >     <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
>     <mailto:flo@redhat.com>>
>     >     > <mailto:flo@redhat.com <mailto:flo@redhat.com>
>     <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote:
>     >     >
>     >     >     On 5/4/19 5:29 AM, Adrian HY via FreeIPA-users wrote:
>     >     >     > Hello all,
>     >     >     >
>     >     >     > My commercial certificate has expired today.
>     The pki-tomcatd
>     >     >     Service has
>     >     >     > stopped and I can´t to login at the web-gui.
>     >     >     > Is it possible to revert the original self signed
>     certificate ?
>     >     >     >
>     >     >     Hi,
>     >     >     can you clarify which certificate expired? There are a
>     lot of
>     >     >     certificates in a FreeIPA installation (IPA CA, the
>     certs for
>     >     HTTP,
>     >     >     LDAP, Pkinit, the certs for Dogtag etc...)
>     >     >
>     >     >     You mention "the original self-signed certificate", are you
>     >     >     referring to
>     >     >     IPA CA? It would help to have the full story, for instance
>     >     "IPA was
>     >     >     installed with self-signed CA, then I replaced the
>     self-signed
>     >     CA with
>     >     >     an externally-signed CA etc..."
>     >     >
>     >     >     flo
>     >     >
>     >     >     > Thanks.
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > FreeIPA-users mailing list --
>     >     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>
>     >     >     > To unsubscribe send an email to
>     >     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
>     >     >     > Fedora Code of Conduct:
>     >     https://getfedora.org/code-of-conduct.html
>     >     >     > List Guidelines:
>     >     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     >     > List Archives:
>     >     >   
>     >   
>       https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     >     >
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > FreeIPA-users mailing list --
>     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     > To unsubscribe send an email to
>     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     > Fedora Code of Conduct:
>     https://getfedora.org/code-of-conduct.html
>     >     > List Guidelines:
>     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     > List Archives:
>     >   
>      https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     >
>     >
>     >
>     >
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>     > List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     > List Archives:
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >
>