<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hi there, <br>
</p>
<p style="margin-top:0;margin-bottom:0">I've been using IPA 4.4.0 and pki-server 10.3.3 and have posting on freeipa mailing list, but unfortunately haven't resolved the problem so I am looking for support on this mailing list. 
<br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">[1] since certmonger failed to renew certs, I believe resolution is going back in time when all certs are valid and restart certmonger service
<br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">[2] I went back into time, and verified that pki-server is running, with command:</p>
<p style="margin-top:0;margin-bottom:0"><span><br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span>SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt
<a href="https://`hostname`:8443/ca/agent/ca/profileReview" class="OWAAutoLink" id="LPlnk364160" previewremoved="true">
https://`hostname`:8443/ca/agent/ca/profileReview</a><br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span><br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span>[3] restart certmonger and getcert list shoes four certs in submitting status<br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span><br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span><span># getcert list | egrep "certificate|expire|status"
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: SUBMITTING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>expires: 2018-08-14 20:49:38 UTC
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: SUBMITTING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>expires: 2018-08-14 20:49:35 UTC
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: SUBMITTING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>expires: 2018-08-14 20:49:36 UTC
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: MONITORING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>expires: 2036-08-24 20:49:35 UTC
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: SUBMITTING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>status: MONITORING <br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>expires: 2020-07-07 01:47:45 UTC</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>[4] <span>Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report
</span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification
 failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
 running at startup FAILED!</span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span>[5] <span>I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert
 is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is:
</span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><br>
</span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span># getcert list | egrep "certificate|expires"
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>expires: 2020-10-29 06:35:38 UTC
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>expires: 2020-10-11 20:15:53 UTC
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>expires: 2018-08-14 20:49:36 UTC</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>expires: 2036-08-24 20:49:35 UTC
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>expires: 2020-07-07 01:47:45 UTC
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>The question now is how to work around this problem? Instead of restarting certmonger service, is there way to manually renew cert.
<br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span><br>
</span></span></span></p>
<p style="margin-top:0;margin-bottom:0"><span><span><span>thanks, Zarko</span></span></span><br>
</p>
</div>
</body>
</html>