Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and
/var/log/pki/pki-tomcat/ca/debug reads:
[08/Aug/2018:10:12:02][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED
=======
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peer's Certificate has expired.
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808)
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: Invalid certificate: (-8181)
Peer's Certificate has expired.
at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method)
at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
... 44 more
Invalid class name repositorytop
at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167)
at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137)
at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125)
at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)
at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1371)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
############ end of debug ##############
## I worry now that I am not making progress with cert renewal. With stopped ntp and back
in time /var/log/ipa/renew.log reads:
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Initializing principal
host/ca-ldap01.domain.com(a)DOMAIN.COM using keytab /etc/krb5.keytab
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-M09nld/ccache
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Attempt 1/1: success
2018-08-07T17:12:34Z 4375 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:12:35Z 4375 MainThread ipa DEBUG Could not connect to the
Directory Server on
ca-ldap01.domain.com: Insufficient access: Invalid credentials
## OKAY, so need to enable NTPD and back in time again, now renew.log reads:
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing all plugin
modules in ipaserver.plugins...
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.baseldap
is not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.hbac is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.otp is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Starting external process
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG args=klist -V
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG Process finished, return
code=0
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stdout=Kerberos 5 version
1.14.1
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG stderr=
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.rabase
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.sudo
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.sudo is
not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG ipaserver.plugins.virtual
is not a valid plugin module
2018-08-07T17:11:34Z 6773 MainThread ipa DEBUG importing plugin module
ipaserver.plugins.xmlserver
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Initializing principal
host/ca-ldap01.domain.com(a)domain.com using keytab /etc/krb5.keytab
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-5bCOl7/ccache
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Attempt 1/1: success
2018-08-07T17:11:35Z 6773 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://ca-ldap01.domain.com:389 from SchemaCache
2018-08-07T17:11:35Z 6773 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ca-ldap01.domain.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x5a69320>
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Starting external process
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG
args=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -vv
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG Process finished, return
code=2
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stdout=
2018-08-07T17:11:36Z 6773 MainThread ipa DEBUG stderr=* About to
connect() to
ca-ldap01.domain.com port 8080 (#0)
* Trying 10.211.9.58...
* Connected to
ca-ldap01.domain.com (10.211.9.58) port 8080 (#0)
GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true
HTTP/1.1
Host: ca-ldap01.domain.com:8080
Accept: */*
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 995
< Date: Thu, 25 Oct 2018 05:42:30 GMT
<
* Connection #0 to host
ca-ldap01.domain.com left intact
GET
"http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true"
code = 0
code_text = "No error"
results = "<html><head><title>Apache Tomcat/7.0.69 - Error
report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 404 -
/ca/ee/ca/profileSubmit</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><HR
size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.69</h3></body
</html>"
Entity: line 1: parser error : Opening and
ending tag mismatch: HR line 1 and body
able.</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
^
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and html
Entity: line 1: parser error : Premature end of data in tag body line 1
Entity: line 1: parser error : Premature end of data in tag html line 1
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and body
able.</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
^
## And status of certmonger service reads:
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: GET
http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServe...
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]:
<html><head><title>Apache Tomcat/7.0.69 - Error
report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 404 -
/ca/ee/ca/profileSubmit</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b>
<u>The requested resource is not available.</u></p><HR
size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.69</h3></body></html>
Aug 07 10:12:45
ca-ldap01.domain.com dogtag-ipa-ca-renew-agent-submit[6884]:
dogtag-ipa-renew-agent returned 2
Thanks in advance for any sugestion on next step.