I have a single-server IPA environment in my homelab. I noticed today that I was unable
to delete a host from IPA, and found that pki-tomcatd was down and unable to start.
I found that several certificates had expired for some reason. I tried `ipa-cert-fix`,
but that failed as pki-tomcat will not start.
I attempted to set the server date/time to a date 24 hours before the certificates
expired, and was able to get tomcat to start, however the `ipa-cert-fix` now fails with
this error:
CalledProcessError(Command ['pki-server', 'cert-fix',
'--ldapi-socket', '/run/slapd-IPA-DOMAIN-CO.socket',
'--agent-uid', 'ipara', '--cert', 'sslserver',
'--cert', 'subsystem', '--cert', 'ca_ocsp_signing',
'--cert', 'ca_audit_signing', '--extra-cert', '16']
returned non-zero exit status 1: "INFO: Loading instance type: pki-tomcatd\nINFO:
Loading instance: pki-tomcat\nINFO: Loading global Tomcat config:
/etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
/usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
/etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
/etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
/etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry:
/etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry:
/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following system certs:
['sslserver', 'subsystem', 'ca_ocsp_signing',
'ca_audit_signing']\nINFO: Renewing the following additional c
erts: ['16']\nINFO: Stopping the instance to proceed with system cert
renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser password via
ldappasswd\nSASL/EXTERNAL authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n")
I reviewed the blog at
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
(Thanks Flo!) but was still unable to get anything working. The Certificate password test
fails with these errors:
[root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid
arguments.
[root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS
Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid
arguments.
Any ideas what I can try?