I have similar problems as the ones described in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/XZPSXXZ4HJTLB6AYQT2FLCF7ZLCI3WXQ/
My IPA setup has 2 masters, both running Centos7.6. Today I got notified by Nagios that there were issues with my second server, ipa2. Checking ipactl I noticed that nothing much was running. ipactl start brought up a message that an upgrade was required (I apparently got an ipa update yesterday that I installed). The upgrade failed. Checking my certifcates with getcert list gave me: . . . Request ID '20181001154055': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki- tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki- tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=HOME.FAZANT.NET subject: CN=ipa2.home.fazant.net,O=HOME.FAZANT.NET expires: 2019-04-25 21:33:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20181001154056': so I reset the date to Mar 20 and did a resubmit for the certificate, that failed (as in the submission went ok, but the cert did not get renewed) Checking Flo's blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ and https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/XZPSXXZ4HJTLB6AYQT2FLCF7ZLCI3WXQ/ made me execute: [root@ipa2 ~]# certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME ,JAR/XPI ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu [root@ipa2 ~]# and #!/bin/bash for i in $(certutil -d /etc/pki/pki-tomcat/alias -L | grep cert-pki | awk '{print $1}') ; do certutil -d /etc/pki/pki-tomcat/alias -K -f /tmp/pwdfile.txt -n "$i cert-pki-ca"; done which resulted in: root@ipa2 ~]# bash /root/ss certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 4286ed93407806ec2727e6244cc3959ec726265e caSigningCert cert-pki-ca To answer Frazer's question in the follow up to the mail from last year: no pki-tomcat is non functional, I do have my second server though. Certutil -L gives me: [root@ipa2 ~]# certutil -L 'ocspSigningCert cert-pki-ca' certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Any help getting this issue resolved would be much appreciated. kind regards, Louis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org