Bug 1779984 - The ipa-cert-fix command failed. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' [NEEDINFO]
Summary: The ipa-cert-fix command failed. [Errno 2] No such file or directory: '/etc/p...
Keywords:
Status: POST
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Fraser Tweedale
QA Contact: ipa-qe
URL:
Whiteboard:
: 1779987 1779999 (view as bug list)
Depends On:
Blocks: 1930586
TreeView+ depends on / blocked
 
Reported: 2019-12-05 07:36 UTC by amitkuma
Modified: 2021-05-03 13:57 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1930586 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
mkosek: needinfo? (twoerner)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4934451 0 None None None 2020-03-28 07:31:53 UTC

Description amitkuma 2019-12-05 07:36:20 UTC
Description of problem:

With repeated date changing and setting back and forth.
ipa-cert-fix failed to renew the certs.

# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=IPA RA,O=IPA.TEST
	expires: 2027-11-03 17:24:24 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
Request ID '20191204141340':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Audit,O=IPA.TEST
	expires: 2027-11-03 17:24:22 EDT
	key usage: digitalSignature,nonRepudiation
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141341':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=OCSP Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:15 EDT
	eku: id-kp-OCSPSigning
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141342':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:23 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141343':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=Certificate Authority,O=IPA.TEST
	expires: 2039-12-04 09:12:31 EST
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141344':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-03 17:24:34 EDT
	dns: master.ipa.test
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141408':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:44 EST
	dns: master.ipa.test
	principal name: ldap/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
	track: yes
	auto-renew: yes
Request ID '20191204141434':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:32 EST
	dns: master.ipa.test
	principal name: HTTP/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20191204141448':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:23 EST
	principal name: krbtgt/IPA.TEST@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes
[root@master ~]# time^C
[root@master ~]# date
Thu Nov 13 17:39:34 EST 2025
[root@master ~]# 
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 5025"
date: cannot set date: Invalid argument
Sun Nov 13 17:23:34 EST 5025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 50^C"
[root@master ~]# date
Thu Nov 13 17:41:21 EST 2025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 3025"
date: cannot set date: Invalid argument
Sun Nov 13 17:23:34 EST 3025
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2125"
Tue Nov 13 17:23:34 EST 2125
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# time ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

real	0m21.731s
user	0m2.544s
sys	0m0.317s
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2225"
Sun Nov 13 17:23:34 EST 2225
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# time ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

real	0m22.144s
user	0m2.530s
sys	0m0.352s
[root@master ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=IPA RA,O=IPA.TEST
	expires: 2027-11-03 17:24:24 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
Request ID '20191204141340':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Audit,O=IPA.TEST
	expires: 2027-11-03 17:24:22 EDT
	key usage: digitalSignature,nonRepudiation
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141341':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=OCSP Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:15 EDT
	eku: id-kp-OCSPSigning
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141342':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:23 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141343':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=Certificate Authority,O=IPA.TEST
	expires: 2039-12-04 09:12:31 EST
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141344':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-03 17:24:34 EDT
	dns: master.ipa.test
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141408':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:44 EST
	dns: master.ipa.test
	principal name: ldap/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
	track: yes
	auto-renew: yes
Request ID '20191204141434':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:32 EST
	dns: master.ipa.test
	principal name: HTTP/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20191204141448':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:23 EST
	principal name: krbtgt/IPA.TEST@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes
[root@master ~]# 
[root@master ~]# 
[root@master ~]# 
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 1925"
date: cannot set date: Invalid argument
Fri Nov 13 17:23:34 EST 1925
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2017"
Mon Nov 13 17:23:34 EST 2017
[root@master ~]# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"
Mon Nov 13 17:23:34 EST 2090
[root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"^C
(reverse-i-search)`cert': service ^Crtmonger restart
[root@master ~]# ip-acer^C
[root@master ~]# ipa-cert-fix 

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag sslserver certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  29
  Expires: 2027-11-03 21:24:34

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  28
  Expires: 2027-11-03 21:24:23

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  30
  Expires: 2027-11-03 21:24:15

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  26
  Expires: 2027-11-03 21:24:22

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=IPA.TEST
  Serial:  27
  Expires: 2027-11-03 21:24:24

IPA Apache HTTPS certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  24
  Expires: 2027-11-14 22:29:32

IPA LDAP certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  25
  Expires: 2027-11-14 22:29:44

IPA KDC certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  23
  Expires: 2027-11-14 22:29:23

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  29
  Expires: 2091-02-13 22:24:04

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  16
  Expires: 2027-11-03 21:26:07

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  17
  Expires: 2027-11-03 21:26:08

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  18
  Expires: 2027-11-03 21:26:09

[Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
The ipa-cert-fix command failed.
[root@master ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191204141310':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=IPA RA,O=IPA.TEST
	expires: 2027-11-03 17:24:24 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
Request ID '20191204141340':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Audit,O=IPA.TEST
	expires: 2027-11-03 17:24:22 EDT
	key usage: digitalSignature,nonRepudiation
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141341':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=OCSP Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:15 EDT
	eku: id-kp-OCSPSigning
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141342':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=CA Subsystem,O=IPA.TEST
	expires: 2027-11-03 17:24:23 EDT
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141343':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=Certificate Authority,O=IPA.TEST
	expires: 2039-12-04 09:12:31 EST
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141344':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-03 17:24:34 EDT
	dns: master.ipa.test
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20191204141408':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:44 EST
	dns: master.ipa.test
	principal name: ldap/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
	track: yes
	auto-renew: yes
Request ID '20191204141434':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:32 EST
	dns: master.ipa.test
	principal name: HTTP/master.ipa.test@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20191204141448':
	status: CA_UNREACHABLE
	ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.TEST
	subject: CN=master.ipa.test,O=IPA.TEST
	expires: 2027-11-14 17:29:23 EST
	principal name: krbtgt/IPA.TEST@IPA.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes

Version-Release number of selected component (if applicable):
[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 (Ootpa)
[root@master ~]# rpm -qa|grep ipa
python3-libipa_hbac-2.2.0-19.el8.x86_64
python3-iniparse-0.4-31.el8.noarch
python3-ipaclient-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
libipa_hbac-2.2.0-19.el8.x86_64
ipa-server-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
python3-ipalib-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-client-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
ipa-server-trust-ad-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
sssd-ipa-2.2.0-19.el8.x86_64
redhat-logos-ipa-81.1-1.el8.noarch
python3-ipaserver-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-server-dns-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch
ipa-client-common-4.8.0-11.module+el8.1.0+4247+9f3fd721.noarch

# ipa-cert-fix --version
4.8.0

# ipa-cert-fix -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.installutils: DEBUG: httpd is configured
ipaserver.install.installutils: DEBUG: kadmin is configured
ipaserver.install.installutils: DEBUG: dirsrv is configured
ipaserver.install.installutils: DEBUG: pki-tomcatd is configured
ipaserver.install.installutils: DEBUG: install is not configured
ipaserver.install.installutils: DEBUG: krb5kdc is configured
ipaserver.install.installutils: DEBUG: named is configured
ipaserver.install.installutils: DEBUG: filestore has files
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS]

      --cert <Cert ID>            Fix specified system cert (default: all certs).
      --extra-cert <Serial>       Also renew cert with given serial number.
      --agent-uid <String>        UID of Dogtag agent user
      --ldapi-socket <Path>       Path to DS LDAPI socket
      --ldap-url <URL>            LDAP URL (mutually exclusive to --ldapi-socket)
  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).
  -p, --port <port number>        Secure port number (default: 8443).
  -v, --verbose                   Run in verbose mode.
      --debug                     Run in debug mode.
      --help                      Show help message.


ipapython.ipautil: DEBUG: stderr=
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_139775471691928
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=IPA.TEST
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f2002ce5a58>
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDpzCCAg+gAwIBAgIBHTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz
MjIyNDA0WhgPMjA5MTAyMTMyMjI0MDRaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw
FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC4mD9RpmAgwr+7o2PiIsIqAySEiFWQI2/H3ZVPwTElKgPLZrxIfnCm
UKB2N586BrOjjU45eAYcHJZMHoLjELsUpHhfdqPrjACJqWiZjS4beWnMaxmJpVwv
nGMaSjA4l/Fk6CEC8vxZHFhkNKJIQzB0PNrQKUZSeLr8RQOcGyUvZtRsicnIcbj3
OK4d5rhkL8ajiroqmyWhwRHlapmN82EgEm48Fa6GOyLh0tHYd67kJSmhjfUsUzso
IzSi4iMHbBgDRswKWRSQfV3OPEdakHl01vSMo2TBQqxEERoZw6bXnU5pLKKHFa3+
1+LgRKMRbg8GvPBa+lD4MWmS0beHjxx3AgMBAAGjSDBGMB8GA1UdIwQYMBaAFJfL
G1HRhskWb2mHp7o0OGpstD47MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB
/wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAsboOlOYSI4GQNK0akiRn2cvBPFxx
9t/KvtcWfsQKhgM+vOvd1Zr0qytd2o1gAmc/I+l0tVElnBbmEHCqSBoYy7CKOqwQ
frn2Sa8l1OkyP9dtn2rSMAEWdniEu7zPpj70+yT0b5c+f5tE9ZRPPw3SgkCd3n02
IJzBtdTCUt2kfk3RobQABSBfh6h1g4unwt/TWGHqPqP6fm2zamdzY4LVisYYTxd/
Q9GBDy6N0cnEPyGUhEIFLka9A7HNsL8hy5pd3HTYJK7d9zm57NZlqISy66v7vHwI
3p7dggI/lR/X2JOZIDItgXybsTPzkRwBtmTTzPF+8DBWQ8Y55dN5HRhT6M32aJ3B
nsv784zK/0FOieJJ4ajpKbudlZohVJTKQeoEMozovT9h9q3HE8lDkGP2xukFbHvl
B1jiX9JdMSTzSu4TWNkNwTurMv9Otuq0CfzQ4H4GNh3XVfr8totgq1my+zokTjzD
l0jqJzkOQDWV+gjB8jMxWQfiK9/76JYYgZd5
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID3jCCAkagAwIBAgIBHDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQyM1oXDTI3MTEwMzIxMjQyM1owKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV
BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AOYxzBk0FKr6yHdrQNo41A4PTvfOs6QRHPvVau+c5lCc9Q6ySfl27vgxnckdJQsF
wiMLA1/6Bh0o9O/wYHzKRNvDZl3b4+YhZyHLnSNh5LYwkPp9V8F2zPGcEq935nDd
/nt5FsBQLv1hNOvjSdhHwFYPg5iPrFiNDI/ROwALzJ2m3sbtt1ACMaHCHqhQdQEx
1DFWbn6lh2+rsPSf+VaG8uYVINGuF6eXjiwQoSqwh2quwe4vJzVpmZBxigkiTYWj
/vz8IraXRceUTamV3k9iOMJoaHkW2OyL6OA8ho4UYzYLNFEfzfXzWPK5nxeqT23n
epMIRjD0LHDk4eyybCLumAUCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSXyxtR0YbJ
Fm9ph6e6NDhqbLQ+OzA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6
Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0l
BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBABF5frmGQLnKd+Lk8SSK
K/Duua4VfE73YawMjHcmjihRFQi100zDyXvhqUyde/VTJ6R5J9YKyHyysfwTb+GT
Zy98EA791j1EONejHBuu6OOXK0AEWxJcHu/Hj9cuRH4VkY7wwgZpEp78sK+LQs0H
DwUwAM9eDLCMPn5BBswMMjXgbqIMye6Vr96eNOxXHkKtzK2vPJv1drWQBTv6Ji6h
o2KhHmzqn66h19VS9cojH067UY8YhZa0k+/huf/abeHrbcTxNiwyBk/wswW7fW5G
o1dJISTvYvAb8wfdCFUe1c5sH5t+1DOsFYT9k6l/zxwz4/ysrz+ak0l/a0+ykNsM
kOXyJ8hQosvyJhH2fUDi7X1lC1IuLyO6wZ5knfU7tODdj6DbSHKHyvSFaD9ghSxO
aeDygw6x1LkAasl1tDxPdH9sP+m1+j58JHaRuYoobKoj39TFRyypGvGBEFgi75YD
QqU6Adi4b1LaNnm/iKDfV/jnnLEBN8USWGh6xOj/trYvhg==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID4TCCAkmgAwIBAgIBHjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQxNVoXDTI3MTEwMzIxMjQxNVowLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV
BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAo/XaoCSJ81ppekpnlZEHk7wGwweWI7PpTEZE/YU7Zv2trXS0Ju1sXTYK9M54
DUNRYMtdL2jO2VDhrIopXTIc+rT1+dyNSbYt2wjDeuP7qatsmiuyDSIwRIpkU9Ic
QQl1yzufNwAwK+f2mzwECSHppdwja57LIgjQw1ItVNU75JFxFQyQZOrqurULSuDL
vIOGcc7cSf71gol/Cl/1xQVrJ4xOJoLx+NaOvdCC74+/hsareLmC3jOzI4daw/0L
mJWyDNDZZ7LBO+vM8Dh3Z+MGoBwb0IHLB50WqUA6XZzDEK9PUjVICpevQN3fw7Q9
bCN59CEoxWV7uPO847xi+LaiAwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJfLG1HR
hskWb2mHp7o0OGpstD47MA8GCSsGAQUFBzABBQQCBQAwOgYIKwYBBQUHAQEELjAs
MCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwEwYD
VR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggGBANKVSZlUZoOGE70c
VPj1TaH8iVmEGNYIPhXWJbkQyZtkA5DkF/EXXbtbAMSdK41hAEi3JMJL+18NVaZr
ikgOnfADS2Cw3HOh9y97ogBSUGskm774VXzTrHNTBCXQL06vsFGN90zoXTppA2m9
NouwipHdyMYdkK5PWIeX++GjKBkJ7YlzynbTaUaIQrZ7nM34ZH8sQmdjsxsPgF5G
it5KNQRZiLdpALIyHfmQjPU7iNpBFS1N9IQNZ/MK0ECinhFHjFBmKYqQIysubyxr
yfkYoWtKMPG/4aQO6ljvdAvRS2g0ns/dulCExzIMZPw3laRi6GUI2ejCIjgUDktm
D5rn5KTQvNqMdevLvEY+g/r8rgwVzUGbedoILzzdFEs0POkMgh/WwEFTSNFBbtyI
gP6Va3zQPuII8EASKWAc03d5lBD4lDGz+pUl3IT7IPqGgx6cFfhzeWIvN1FKX6I2
NFnTMW4qomom78U4bPe08/j/Z50HURSgUgstJHe1OchbY4eWEg==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDpjCCAg6gAwIBAgIBGjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
MjQyMloXDTI3MTEwMzIxMjQyMlowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV
BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulsA
fyMFGpAw9Q5izl4gVwheybTa/oDqOOjgh85UDIdihw9rqrZ4GaxVOiUbmi1RkY88
5eC4eNcUF535IbVfrOYavaFi5Npgdz7J6rlEflMiO4eaO4FEuGxnkpv0qZ+wf+DQ
1GiFAjDIvqpc4rTgsLPze+JOJGUc7aKKwhEohbYR4gDk7NwygZtJLzyY3OM0Kjcf
mODlYhpyFbirfNRzGyzyGQoOj3HU3JMD09OziB8tMhgtQdYWAIjUm4UkPhOjWNoy
0Uqai7acTMM0TcXhUZob7kUZkv/QxEtj/h6c+rr+hIiHLZCYl8XfpoE6V7HoYNVq
EBYDv3BqBTB5gUZrWwIDAQABo1IwUDAfBgNVHSMEGDAWgBSXyxtR0YbJFm9ph6e6
NDhqbLQ+OzAdBgNVHQ4EFgQUP0Xr87z2PdCjqwCgcxgIoQmWGokwDgYDVR0PAQH/
BAQDAgbAMA0GCSqGSIb3DQEBCwUAA4IBgQAy1fKqysM1UhoK0WmqnaVpX9S/mAGc
ieR9ZkqRJgnmNhK4h6vVILaMeY7qHafMR4TDB8Ch36jOOAKEL65tH8sdZOrg7S+a
c6s9C0EPNM3YSHRvwKfbn5o0AvE7xfHN7Q8EAe/aGvW5K2Dr2USLlBdKxI04HRsQ
lEIjE/kIJFpbTtONO23L5IRq18O5LCpZDjj9IrBY2v5jRTVEj5QZP+O5WIW08cUl
37JUFYUDyd17iOPZm+AYelQ0vWUseTKlQyFGeX/UKESybYE0cgCbt89eYawhbVUZ
54kPOIHGaiAppNbE2cd/rdopshy2QddA99zZGmIkSKMP/g4lMePmY3EXTOCV+xl4
TulKr8XcASZfEjD1TIthH8MjEjm/tEDbfNj5dHZKUdGg9+TiyxhjwbfdZl0K+Dh2
AUv1x3HH0+MVjGCfZpjQGG269Cc9oUZdqnLHx42/icbZ5a14sOs7n6IsSNeIEAeE
iukk7iKDxHCytBNx3FkmvZOoloREmE9gLaI=
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIFDDCCA3SgAwIBAgIBGTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MTExMzIy
Mjk0NFoXDTI3MTExNDIyMjk0NFowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV
BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAOAFNDpoWxUF0/EOmKGws7tGrTLQkvrfz/37KWIjoN+kJVkHv+hD8o/ZBJN7
QXUYrnU7woEzyu/lCQpiikzo55kF2Vq6VLY3KznQJAz5G/ph3VI7BnzoBtfJinso
nor7RgbliSZyBuGTDhXBFIamDKBqSMahjjuLdlCoa9BHcek+vtXVKVe+lXz5Qb/9
nS8nKtvc1LZzX/nfrMkxGXzT/X3x2DDqsL2rZOHh8KscWrkgLp3hs+TL9gps+PMq
sRdB8YtmaUUZcDJ6g1Q2fEwWAhCDfL6QNQdYFCYo2ObNjFZDvzaXGsUSVN5GYfwI
NruwqpxIJWlBcDu9Vdi/1cld75UCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFJfL
G1HRhskWb2mHp7o0OGpstD47MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFDGSeeKRlOjqf8olA9SkU3ChzYd8MIGIBgNVHREEgYAwfoIP
bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh
LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB
AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA
5HY3QvTiDdNFvGrAoqwfdPnkTxKTHCGsX7I0Ouq8HpellClEKD4rB8uhEYq160J/
NrnwVXiVyoHcix4UaXWtL0f8nqIYtD+EWk+0fLLwBWjFyuh4+6moDFfO9cpiaND8
e1vu8lISIvwfv/uxxhRe0XVR4rPZ32HFpBSpDUXYS8CoF6atE1HwQmuokPX5bsoy
bQMocYvUsSTSO4spYi9guB4xNnPPtp316FjCwt/OezjUlpsyUUJTlNsmTyWJwfVz
TNX9mXo/29hKY90d2oo3ywM2P3A8smnVSjFG2fiV7w9wr7GNonw7iB/p6wMvs8q0
+VPvX+ssLhSOvAwOrcBzSzvid09xGQsRDBnPX4oRCEyJmlL9G1OXg/FgNgaStEzR
dzSI8Vjx0+bEzTeRzkaUFQw5xE79VyCGu8F+AYi1PGrqw+7A3KPIPj9b/m7GmIZX
+lnkSHMMETlfIV8p8IeqmKDktrPUhwrY2zbYZm1/rcBJ97fSB18jNP6ejWYd152u
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  28
  Expires: 2027-11-03 21:24:23

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  30
  Expires: 2027-11-03 21:24:15

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  26
  Expires: 2027-11-03 21:24:22

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=IPA.TEST
  Serial:  27
  Expires: 2027-11-03 21:24:24

IPA Apache HTTPS certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  24
  Expires: 2027-11-14 22:29:32

IPA LDAP certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  25
  Expires: 2027-11-14 22:29:44

IPA KDC certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  23
  Expires: 2027-11-14 22:29:23

Enter "yes" to proceed: yes
Proceeding.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket', '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '27', '--extra-cert', '24', '--extra-cert', '25', '--extra-cert', '23']
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing', 'ca_audit_signing']
INFO: Renewing the following additional certs: ['27', '24', '25', '23']
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Starting the instance
INFO: Sleeping for 10 seconds to allow server time to start...
INFO: Requesting new cert for subsystem
INFO: Getting subsystem cert info for ca from CS.cfg
INFO: Getting subsystem cert info for ca from NSS database
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 28
INFO: Stopping the instance
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in review_request
    r = self.connection.get(url, headers=self.headers)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
    return func(self, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get
    r.raise_for_status()
  File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error:  for url: https://master.ipa.test:8443/ca/rest/agent/certrequests/39

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in <module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in execute
    username=agent_uid, password=agent_pass, secure_port=port)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in cert_create
    PKIServer.renew_certificate(connection, new_cert_file, serial)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in renew_certificate
    ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in enroll_cert
    self.approve_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in approve_request
    request_id, cert_review_response, 'approve')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in _perform_action
    cert_review_response = self.review_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    raise pki_exception
pki.ForbiddenException: Authentication method not allowed.
ERROR: Authentication method not allowed.

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  16
  Expires: 2027-11-03 21:26:07

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  17
  Expires: 2027-11-03 21:26:08

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  18
  Expires: 2027-11-03 21:26:09

ipapython.admintool: DEBUG:   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 130, in run
    install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 262, in install_ipa_certs
    cert = x509.load_certificate_from_file(cert_path)
  File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in load_certificate_from_file
    with open(filename, mode='rb') as f:

ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
ipapython.admintool: ERROR: The ipa-cert-fix command failed.


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
certs should get renewed.

Additional info:

Comment 8 Fraser Tweedale 2020-04-23 10:01:00 UTC
*** Bug 1779987 has been marked as a duplicate of this bug. ***

Comment 9 Fraser Tweedale 2020-04-23 10:01:11 UTC
*** Bug 1779999 has been marked as a duplicate of this bug. ***

Comment 11 Dinesh Prasanth 2020-05-22 13:23:00 UTC
(In reply to amitkuma from comment #0)


~snip~
> 
> Request ID '20191204141343':
> 	status: MONITORING
> 	stuck: no
> 	key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> 	certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> 	CA: dogtag-ipa-ca-renew-agent
> 	issuer: CN=Certificate Authority,O=IPA.TEST
> 	subject: CN=Certificate Authority,O=IPA.TEST
> 	expires: 2039-12-04 09:12:31 EST

Your CA expires on 2039.

~snip~
> [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"
> Mon Nov 13 17:23:34 EST 2090

You are running the cert-fix tool in 2090, at a point where CA is expired.
The prerequisite to run cert-fix tool is that you need to have a valid CA
signing certificate. At this point, you have failed to meet prerequiste

> [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090"^C
> (reverse-i-search)`cert': service ^Crtmonger restart
> [root@master ~]# ip-acer^C
> [root@master ~]# ipa-cert-fix 
> 
>                           WARNING
> 
> ipa-cert-fix is intended for recovery when expired certificates
> prevent the normal operation of FreeIPA.  It should ONLY be used
> in such scenarios, and backup of the system, especially certificates
> and keys, is STRONGLY RECOMMENDED.
> 
> 
> The following certificates will be renewed: 
> 
> Dogtag sslserver certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  29
>   Expires: 2027-11-03 21:24:34

The tool identifies (from local nssdb) that sslserver cert is expired.
> 
> Dogtag subsystem certificate:
>   Subject: CN=CA Subsystem,O=IPA.TEST
>   Serial:  28
>   Expires: 2027-11-03 21:24:23
> 
> Dogtag ca_ocsp_signing certificate:
>   Subject: CN=OCSP Subsystem,O=IPA.TEST
>   Serial:  30
>   Expires: 2027-11-03 21:24:15
> 
> Dogtag ca_audit_signing certificate:
>   Subject: CN=CA Audit,O=IPA.TEST
>   Serial:  26
>   Expires: 2027-11-03 21:24:22
> 
> IPA IPA RA certificate:
>   Subject: CN=IPA RA,O=IPA.TEST
>   Serial:  27
>   Expires: 2027-11-03 21:24:24
> 
> IPA Apache HTTPS certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  24
>   Expires: 2027-11-14 22:29:32
> 
> IPA LDAP certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  25
>   Expires: 2027-11-14 22:29:44
> 
> IPA KDC certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  23
>   Expires: 2027-11-14 22:29:23
> 
> Enter "yes" to proceed: yes
> Proceeding.
> Renewed Dogtag sslserver certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  29
>   Expires: 2091-02-13 22:24:04
> 
> Renewed Dogtag subsystem certificate:
>   Subject: CN=CA Subsystem,O=IPA.TEST
>   Serial:  16
>   Expires: 2027-11-03 21:26:07
> 
> Renewed Dogtag ca_ocsp_signing certificate:
>   Subject: CN=OCSP Subsystem,O=IPA.TEST
>   Serial:  17
>   Expires: 2027-11-03 21:26:08
> 
> Renewed Dogtag ca_audit_signing certificate:
>   Subject: CN=CA Audit,O=IPA.TEST
>   Serial:  18
>   Expires: 2027-11-03 21:26:09
> 
> [Errno 2] No such file or directory:
> '/etc/pki/pki-tomcat/certs/27-renewed.crt'

This is expected because expired CA cannot sign a cert.

> The ipa-cert-fix command failed.

~snip~

> 
> # ipa-cert-fix -v
Second time the tool is executed

> ipapython.admintool: DEBUG: Not logging to a file
> ipalib.install.sysrestore: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> ipalib.install.sysrestore: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipaserver.install.installutils: DEBUG: httpd is configured
> ipaserver.install.installutils: DEBUG: kadmin is configured
> ipaserver.install.installutils: DEBUG: dirsrv is configured
> ipaserver.install.installutils: DEBUG: pki-tomcatd is configured
> ipaserver.install.installutils: DEBUG: install is not configured
> ipaserver.install.installutils: DEBUG: krb5kdc is configured
> ipaserver.install.installutils: DEBUG: named is configured
> ipaserver.install.installutils: DEBUG: filestore has files
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help']
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS]
> 
>       --cert <Cert ID>            Fix specified system cert (default: all
> certs).
>       --extra-cert <Serial>       Also renew cert with given serial number.
>       --agent-uid <String>        UID of Dogtag agent user
>       --ldapi-socket <Path>       Path to DS LDAPI socket
>       --ldap-url <URL>            LDAP URL (mutually exclusive to
> --ldapi-socket)
>   -i, --instance <instance ID>    Instance ID (default: pki-tomcat).
>   -p, --port <port number>        Secure port number (default: 8443).
>   -v, --verbose                   Run in verbose mode.
>       --debug                     Run in debug mode.
>       --help                      Show help message.
> 
> 
> ipapython.ipautil: DEBUG: stderr=
> ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...

~snip~

> 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca',
> '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
> ipapython.ipautil: DEBUG: Process finished, return code=0
> ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
> MIIDpzCCAg+gAwIBAgIBHTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
> VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz
> MjIyNDA0WhgPMjA5MTAyMTMyMjI0MDRaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw
> FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
> ggEKAoIBAQC4mD9RpmAgwr+7o2PiIsIqAySEiFWQI2/H3ZVPwTElKgPLZrxIfnCm
> UKB2N586BrOjjU45eAYcHJZMHoLjELsUpHhfdqPrjACJqWiZjS4beWnMaxmJpVwv
> nGMaSjA4l/Fk6CEC8vxZHFhkNKJIQzB0PNrQKUZSeLr8RQOcGyUvZtRsicnIcbj3
> OK4d5rhkL8ajiroqmyWhwRHlapmN82EgEm48Fa6GOyLh0tHYd67kJSmhjfUsUzso
> IzSi4iMHbBgDRswKWRSQfV3OPEdakHl01vSMo2TBQqxEERoZw6bXnU5pLKKHFa3+
> 1+LgRKMRbg8GvPBa+lD4MWmS0beHjxx3AgMBAAGjSDBGMB8GA1UdIwQYMBaAFJfL
> G1HRhskWb2mHp7o0OGpstD47MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB
> /wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAsboOlOYSI4GQNK0akiRn2cvBPFxx
> 9t/KvtcWfsQKhgM+vOvd1Zr0qytd2o1gAmc/I+l0tVElnBbmEHCqSBoYy7CKOqwQ
> frn2Sa8l1OkyP9dtn2rSMAEWdniEu7zPpj70+yT0b5c+f5tE9ZRPPw3SgkCd3n02
> IJzBtdTCUt2kfk3RobQABSBfh6h1g4unwt/TWGHqPqP6fm2zamdzY4LVisYYTxd/
> Q9GBDy6N0cnEPyGUhEIFLka9A7HNsL8hy5pd3HTYJK7d9zm57NZlqISy66v7vHwI
> 3p7dggI/lR/X2JOZIDItgXybsTPzkRwBtmTTzPF+8DBWQ8Y55dN5HRhT6M32aJ3B
> nsv784zK/0FOieJJ4ajpKbudlZohVJTKQeoEMozovT9h9q3HE8lDkGP2xukFbHvl
> B1jiX9JdMSTzSu4TWNkNwTurMv9Otuq0CfzQ4H4GNh3XVfr8totgq1my+zokTjzD
> l0jqJzkOQDWV+gjB8jMxWQfiK9/76JYYgZd5
> -----END CERTIFICATE-----

This is a temporary sslserver cert that was created while you ran the cert-fix
for the first time. This cert expires on: February 13, 2091 . This cert WILL NOT
appear in LDAP.

The tool now thinks that sslserver cert is valid and removes it from its renewal list.

~snip~

>                           WARNING
> 
> ipa-cert-fix is intended for recovery when expired certificates
> prevent the normal operation of FreeIPA.  It should ONLY be used
> in such scenarios, and backup of the system, especially certificates
> and keys, is STRONGLY RECOMMENDED.
> 
> 
> The following certificates will be renewed: 
> 
> Dogtag subsystem certificate:
>   Subject: CN=CA Subsystem,O=IPA.TEST
>   Serial:  28
>   Expires: 2027-11-03 21:24:23
> 
> Dogtag ca_ocsp_signing certificate:
>   Subject: CN=OCSP Subsystem,O=IPA.TEST
>   Serial:  30
>   Expires: 2027-11-03 21:24:15
> 
> Dogtag ca_audit_signing certificate:
>   Subject: CN=CA Audit,O=IPA.TEST
>   Serial:  26
>   Expires: 2027-11-03 21:24:22
> 
> IPA IPA RA certificate:
>   Subject: CN=IPA RA,O=IPA.TEST
>   Serial:  27
>   Expires: 2027-11-03 21:24:24
> 
> IPA Apache HTTPS certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  24
>   Expires: 2027-11-14 22:29:32
> 
> IPA LDAP certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  25
>   Expires: 2027-11-14 22:29:44
> 
> IPA KDC certificate:
>   Subject: CN=master.ipa.test,O=IPA.TEST
>   Serial:  23
>   Expires: 2027-11-14 22:29:23

sslserver is not on this list.

> 
> Enter "yes" to proceed: yes
> Proceeding.
> ipapython.ipautil: DEBUG: Starting external process
> ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket',
> '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert',
> 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing',
> '--extra-cert', '27', '--extra-cert', '24', '--extra-cert', '25',
> '--extra-cert', '23']

sslserver is not on this list.

~snip~

NOTE: 
If this tool is executed with a valid CA signing cert for the third time on the same machine,
the renewals of other certs may succeed but sslserver cert will not get renewed and so the
CA won't start.

Comment 24 Fraser Tweedale 2021-02-17 06:57:40 UTC
This issue - as reported - is ultimately caused by missing certificates, resulting in Dogtag not starting properly.
That problem itself is out of scope for ipa-cert-fix to address, but I will investigate how our tools can
respond better to this sort of failure.  In particular:

1. `pki-server cert-fix' appears to exit cleanly even though it was unable to renew the certificates.
   This behaviour is incorrect.  The expected behaviour in this scenario is to return nonzero.
   `ipa-cert-fix' should then detect that `pki-server cert-fix' failed, and not attempt to locate renewed
   certificates but instead report the error.

2. `ipa-cert-fix' should have better handling of the case where the expected renewed certificates are
   not present.  Although this indicative of an error in `pki-server cert-fix', we should fail with
   an error message, not a traceback.

I am proceeding with the above.

Comment 25 Fraser Tweedale 2021-02-19 10:56:18 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/5579

This change improves the handling of Dogtag `pki-server cert-fix` errors in `ipa-cert-fix`.
The actual cause of the error in this BZ is in Dogtag, and is tracked by
https://bugzilla.redhat.com/show_bug.cgi?id=1930586.

Comment 26 Florence Blanc-Renaud 2021-02-23 08:37:17 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8721

Comment 27 Fraser Tweedale 2021-03-01 04:18:47 UTC
master PR: https://github.com/freeipa/freeipa/pull/5579
ipa-4-9 PR: https://github.com/freeipa/freeipa/pull/5590

master:
    8c2c6f8 (HEAD) ipa-cert-fix: improve handling of 'pki-server cert-fix' failure

ipa-4-9:
    f2b1b5b (HEAD) ipa-cert-fix: improve handling of 'pki-server cert-fix' failure

Moving to POST.


Note You need to log in before you can comment on or make changes to this bug.