<html><head></head><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div dir="ltr" id="yui_3_16_0_ym19_1_1469807164755_3130">I have seen many threads on this so sorry to bring it up again but I have a freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The certificates are expired/expiring and will not renew and it is causing many issues for us. I have tried the many suggestions I have see in the archives such as changing the time to prior to expiration and attempting renew by resubmitting the requests but they never renew. An example of getcert list from the first server that expired:</div><div id="yui_3_16_0_ym19_1_1469807164755_3739"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1469807164755_3165">Number of certificates and requests being tracked: 8.<br id="yui_3_16_0_ym19_1_1469807164755_3418">Request ID '20140618161026':<br id="yui_3_16_0_ym19_1_1469807164755_3419">    status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469807164755_3420">    ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).<br id="yui_3_16_0_ym19_1_1469807164755_3421">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3422">    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469807164755_3423">    certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3424">    CA: IPA<br id="yui_3_16_0_ym19_1_1469807164755_3425">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3426">    subject: CN=idm1-io.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3427">    expires: 2016-06-18 00:09:05 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3428">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3429">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469807164755_3430">    pre-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3431">    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA<br id="yui_3_16_0_ym19_1_1469807164755_3432">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3433">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3434">Request ID '20140618161126':<br id="yui_3_16_0_ym19_1_1469807164755_3435">    status: MONITORING<br id="yui_3_16_0_ym19_1_1469807164755_3436">    ca-error: Internal error: no response to "http://ipa1-io.example.com:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-pki-ca&serial_num=5&renewal=true&xml=true".<br id="yui_3_16_0_ym19_1_1469807164755_3437">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3438">    key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set<br id="yui_3_16_0_ym19_1_1469807164755_3439">    certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3440">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469807164755_3441">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3442">    subject: CN=CA Audit,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3443">    expires: 2016-06-06 23:36:29 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3444">    key usage: digitalSignature,nonRepudiation<br id="yui_3_16_0_ym19_1_1469807164755_3445">    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br id="yui_3_16_0_ym19_1_1469807164755_3446">    post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"<br id="yui_3_16_0_ym19_1_1469807164755_3447">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3448">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3449">Request ID '20140618161127':<br id="yui_3_16_0_ym19_1_1469807164755_3450">    status: MONITORING<br id="yui_3_16_0_ym19_1_1469807164755_3451">    ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ocspSigningCert+cert-pki-ca&serial_num=2&renewal=true&xml=true".<br id="yui_3_16_0_ym19_1_1469807164755_3452">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3453">    key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set<br id="yui_3_16_0_ym19_1_1469807164755_3454">    certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3455">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469807164755_3456">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3457">    subject: CN=OCSP Subsystem,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3458">    expires: 2016-06-06 23:36:28 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3459">    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign<br id="yui_3_16_0_ym19_1_1469807164755_3460">    eku: id-kp-OCSPSigning<br id="yui_3_16_0_ym19_1_1469807164755_3461">    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br id="yui_3_16_0_ym19_1_1469807164755_3462">    post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca"<br id="yui_3_16_0_ym19_1_1469807164755_3463">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3464">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3465">Request ID '20140618161128':<br id="yui_3_16_0_ym19_1_1469807164755_3466">    status: MONITORING<br id="yui_3_16_0_ym19_1_1469807164755_3467">    ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=subsystemCert+cert-pki-ca&serial_num=4&renewal=true&xml=true".<br id="yui_3_16_0_ym19_1_1469807164755_3468">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3469">    key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set<br id="yui_3_16_0_ym19_1_1469807164755_3470">    certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3471">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469807164755_3472">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3473">    subject: CN=CA Subsystem,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3474">    expires: 2016-06-06 23:36:28 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3475">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3476">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469807164755_3477">    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br id="yui_3_16_0_ym19_1_1469807164755_3478">    post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca"<br id="yui_3_16_0_ym19_1_1469807164755_3479">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3480">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3481">Request ID '20140618161129':<br id="yui_3_16_0_ym19_1_1469807164755_3482">    status: MONITORING<br id="yui_3_16_0_ym19_1_1469807164755_3483">    ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=268304385&renewal=true&xml=true".<br id="yui_3_16_0_ym19_1_1469807164755_3484">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3485">    key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set<br id="yui_3_16_0_ym19_1_1469807164755_3486">    certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3487">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469807164755_3488">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3489">    subject: CN=ipa1.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3490">    expires: 2016-06-07 16:11:22 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3491">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3492">    eku: id-kp-serverAuth<br id="yui_3_16_0_ym19_1_1469807164755_3493">    pre-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3494">    post-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3495">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3496">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3497">Request ID '20140618161217':<br id="yui_3_16_0_ym19_1_1469807164755_3498">    status: NEED_CSR_GEN_TOKEN<br id="yui_3_16_0_ym19_1_1469807164755_3499">    stuck: yes<br id="yui_3_16_0_ym19_1_1469807164755_3500">    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-example-COM/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469807164755_3501">    certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3502">    CA: IPA<br id="yui_3_16_0_ym19_1_1469807164755_3503">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3504">    subject: CN=ipa1.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3505">    expires: 2016-06-18 00:09:05 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3506">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3507">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469807164755_3508">    pre-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3509">    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv example-COM<br id="yui_3_16_0_ym19_1_1469807164755_3510">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3511">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3512">Request ID '20140618161317':<br id="yui_3_16_0_ym19_1_1469807164755_3513">    status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469807164755_3514">    ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).<br id="yui_3_16_0_ym19_1_1469807164755_3515">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3516">    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469807164755_3517">    certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3518">    CA: IPA<br id="yui_3_16_0_ym19_1_1469807164755_3519">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3520">    subject: CN=idm1-io.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3521">    expires: 2016-06-18 00:09:06 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3522">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3523">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469807164755_3524">    pre-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3525">    post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br id="yui_3_16_0_ym19_1_1469807164755_3526">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3527">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469807164755_3528">Request ID '20140618161338':<br id="yui_3_16_0_ym19_1_1469807164755_3529">    status: MONITORING<br id="yui_3_16_0_ym19_1_1469807164755_3530">    ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ipaCert&serial_num=7&renewal=true&xml=true".<br id="yui_3_16_0_ym19_1_1469807164755_3531">    stuck: no<br id="yui_3_16_0_ym19_1_1469807164755_3532">    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469807164755_3533">    certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469807164755_3534">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469807164755_3535">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3536">    subject: CN=IPA RA,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469807164755_3537">    expires: 2016-06-06 23:37:09 UTC<br id="yui_3_16_0_ym19_1_1469807164755_3538">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469807164755_3539">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469807164755_3540">    pre-save command: <br id="yui_3_16_0_ym19_1_1469807164755_3541">    post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br id="yui_3_16_0_ym19_1_1469807164755_3542">    track: yes<br id="yui_3_16_0_ym19_1_1469807164755_3543">    auto-renew: yes</div><div id="yui_3_16_0_ym19_1_1469807164755_3601" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469807164755_3609" dir="ltr">localhost log in /var/log/pki-ca have errors like:</div><div id="yui_3_16_0_ym19_1_1469807164755_3640" dir="ltr">tail localhost.2016-07-29.log<br id="yui_3_16_0_ym19_1_1469807164755_3630">Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke<br id="yui_3_16_0_ym19_1_1469807164755_3631">SEVERE: Servlet.service() for servlet caProfileSubmit threw exception<br id="yui_3_16_0_ym19_1_1469807164755_3632">java.io.IOException: CS server is not ready to serve.<br id="yui_3_16_0_ym19_1_1469807164755_3633">    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)<br id="yui_3_16_0_ym19_1_1469807164755_3634">    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)<br id="yui_3_16_0_ym19_1_1469807164755_3635">    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)<br id="yui_3_16_0_ym19_1_1469807164755_3636">    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<br id="yui_3_16_0_ym19_1_1469807164755_3637">    at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)<br id="yui_3_16_0_ym19_1_1469807164755_3638">    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<br id="yui_3_16_0_ym19_1_1469807164755_3639">    at org.</div><div id="yui_3_16_0_ym19_1_1469807164755_3660" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469807164755_3692" dir="ltr">Debug log in /var/log/pki-cacd<br></div><div id="yui_3_16_0_ym19_1_1469807164755_3691" dir="ltr"> tail debug<br id="yui_3_16_0_ym19_1_1469807164755_3681">[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yui_3_16_0_ym19_1_1469807164755_3682">[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yui_3_16_0_ym19_1_1469807164755_3683">[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49)<br id="yui_3_16_0_ym19_1_1469807164755_3684">[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database.<br id="yui_3_16_0_ym19_1_1469807164755_3685">[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException<br id="yui_3_16_0_ym19_1_1469807164755_3686">[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yui_3_16_0_ym19_1_1469807164755_3687">[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yui_3_16_0_ym19_1_1469807164755_3688">[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49)<br id="yui_3_16_0_ym19_1_1469807164755_3689">[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database.<br id="yui_3_16_0_ym19_1_1469807164755_3690">[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException</div><div id="yui_3_16_0_ym19_1_1469807164755_3749" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469807164755_3750" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469807164755_3751" dir="ltr">Performing most IPA commands results in errors such as ipa: ERROR: cert validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)<br></div><div id="yui_3_16_0_ym19_1_1469807164755_2942"><br></div><div id="yui_3_16_0_ym19_1_1469807164755_3869">Not sure if it is related but we lost our first IPA server some time ago and had to promote another to the CA master. Also, due to someone leaving the company at the beginning of the year we had to change the directory manager password. I followed all the directions to do so but it does not seem like it was a completely smooth transaction. <br></div></div></body></html>