OSCP cert is expired and pki will not start

[pki-bot]

This issue was migrated from Pagure Issue #2459. Originally filed by aheverle@redhat.com on 2016-09-14 18:23:38:

• Closed at 2017-08-31 14:14:52 as duplicate
• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1372378

---

Only the OSCP cert is expired. Cannot start pki-tomcat and fails to connect to CA.

Steps to Reproduce:

1.  ipa-server-upgrade is failing

IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
CA did not start in 300.0s

2.[root@vm-bldr-ipadmz1 tmp]# certutil -L -d
/var/lib/pki/pki-tomcat/ca/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
         Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption
         Issuer: "CN=Certificate Authority,O=DMZ.NCEP.NOAA.GOV"
         Validity:
             Not Before: Mon Jul 21 17:19:56 2014
             Not After : Sun Jul 10 17:19:56 2016

3. -- Subject: Unit user-0.slice has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit user-0.slice has begun shutting down.
Aug 30 14:50:30 vm-bldr-ipadmz1.ncep.noaa.gov certmonger[20653]:
Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
Certificate DB" in database "/var/lib/pki/pki-tomcat/ca/alias" is no
longer valid.

Additional info:

Seeing these errors in the logs and found these articles.
[aheverle@fubar 01691222]$ less
100-pki-tomcat.tar.gz/pki-tomcat/catalina.2016-08-30.log:

Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://vm-bldr-ipadmz1.ncep.noaa.gov:9080/ca/ocsp' did
not f
ind a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matchin
g property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching
property.
Aug 30, 2016 2:27:51 PM org.apache.catalina.startup.SetAllPropertiesRule begin

https://www.redhat.com/archives/freeipa-users/2015-March/msg00414.html

https://bugzilla.redhat.com/show_bug.cgi?id=1213974

https://fedorahosted.org/pki/ticket/1352

[pki-bot]

Comment from aheverle@redhat.com at 2017-02-27 14:01:29

Metadata Update from @aheverle@redhat.com:

• Issue set to the milestone: UNTRIAGED

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-31 14:14:54

Closed as duplicate of https://pagure.io/dogtagpki/issue/2776

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-31 14:14:54

Metadata Update from @mharmsen:

• Custom field feature adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field version adjusted to None
• Issue close_status updated to: duplicate
• Issue set to the milestone: 10.5 (was: UNTRIAGED)
• Issue status updated to: Closed (was: Open)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-09-06 19:40:41

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.5.0 (was: 10.5)