[Freeipa-users] Another Cert Expiration Problem

I have a single-server IPA environment in my homelab. I noticed today that I was unable to delete a host from IPA, and found that pki-tomcatd was down and unable to start. I found that several certificates had expired for some reason. I tried `ipa-cert-fix`, but that failed as pki-tomcat will not start. I attempted to set the server date/time to a date 24 hours before the certificates expired, and was able to get tomcat to start, however the `ipa-cert-fix` now fails with this error: CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara', '--cert', 'sslserver', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '16'] returned non-zero exit status 1: "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', 'ca_audit_signing']\nINFO: Renewing the following additional c erts: ['16']\nINFO: Stopping the instance to proceed with system cert renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n") I reviewed the blog at https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... (Thanks Flo!) but was still unable to get anything working. The Certificate password test fails with these errors: [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. Any ideas what I can try?