pki-tomcatd service fails to start and expired PKI certificates cannot be renewed manually.

Solution Verified - Updated -

Issue

  • How to renew expired PKI subsystem (DogTag) CA certificates on an IPA server.
  • pki-tomcatd service fails to start on the IPA server due to the following error:
# tail -f /var/log/messages

Feb 19 16:50:05 host0 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
Feb 19 16:50:07 host0 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Feb 19 16:50:07 host0 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
  • Attempt to renew the expired DogTag certificates using the command ipa-getcert resubmit -i [request_id] fails with the following error:
# tail -f /var/log/messages

Feb 19 10:49:12 host0 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
Feb 19 10:49:14 host0 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 516, in main#012            api.Backend.ldap2.connect()#012  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect#012    conn = self.create_connection(*args, **kw)#012  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection#012    client_controls=clientctrls)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind#012    '', auth_tokens, server_controls, client_controls)#012  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012    self.gen.throw(type, value, traceback)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1005, in error_handler#012    error=info)#012NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-COM.socket':
Feb 19 10:49:14 host0 certmonger: 2019-02-19 10:49:14 [5414] Internal error
...
Feb 19 10:51:37 host0 ipa-httpd-kdcproxy: ipa: WARNING  Unable to connect to dirsrv: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-COM.socket':
Feb 19 10:51:37 host0 ipa-httpd-kdcproxy: ipa: WARNING  Disabling KDC proxy

Environment

Red Hat Enterprise Linux 7.x
IPA 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content