I checked the date and got:
Not Before: Wed Nov 30 05:25:15 2022 Not After : Tue Nov 19 05:25:15 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:14 2022 Not After : Sun Nov 30 05:25:14 2042 Not Before: Wed Nov 30 05:25:14 2022 Not After : Tue Nov 19 05:25:14 2024 Not Before: Wed Nov 30 05:25:36 2022 Not After : Tue Nov 19 05:25:36 2024 Not Before: Wed Nov 30 05:26:25 2022 Not After : Sat Nov 30 05:26:25 2024 Not Before: Wed Nov 30 05:26:05 2022 Not After : Sat Nov 30 05:26:05 2024
I changed it to Nov 17 00:00:00 2024 ipactl restart
But I was able to update the last 2 certs only (Server-Cert) -------------------- getcert resubmit -i 20221130052539 log:
Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: NEEDED_PREAUTH: host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC, Additional pre-authentication required Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for krbtgt/DOM.LOC@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: TGS_REQ (6 etypes {18 17 16 23 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18 ses=18}, host/ipa.dom.loc@DOM.LOC for ldap/ipa.dom.loc@DOM.LOC Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5 Nov 17 00:46:38 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 1 Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 2 Nov 17 00:46:39 ipa.dom.loc python2[10168]: GSSAPI client step 2 Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 3 Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: Forwarding request to dogtag-ipa-renew-agent Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]: dogtag-ipa-renew-agent returned 3 Nov 17 00:46:39 ipa.dom.loc certmonger[1032]: 2024-11-17 00:46:39 [1032] Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
----------------------------
Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes