Hi,

I have a problem with FreeIPA state. At some point, PKI certificates were regenerated from scratch, but Dirsrv and HTTPD are still using old certificates, and Dogtag cannot connect to them because of this, here is `/var/log/pki/pki-tomcat/ca/debug`:

```
[02/Nov/2016:22:18:53][localhost-startStop-1]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
[02/Nov/2016:22:18:53][localhost-startStop-1]: ============================================
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: DBSubsystem: init()  mEnableSerialMgmt=false
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem)
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory: init
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory:doCloning true
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init()
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init begins
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init ends
[02/Nov/2016:22:18:53][localhost-startStop-1]: init: before makeConnection errorIfDown is true
[02/Nov/2016:22:18:53][localhost-startStop-1]: makeConnection: errorIfDown true
[02/Nov/2016:22:18:53][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca

Internal Database Error encountered: Could not connect to LDAP server host freeipa.sparky.salford-systems.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org
.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8179) Peer's Certificate issuer is not recognized. (-1)
        at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine.shutdown()
```

I am running FreeIPA in a Docker container with Fedora 24:
pki-base-10.3.5-6.fc24.noarch
pki-base-java-10.3.5-6.fc24.noarch
pki-kra-10.3.5-6.fc24.noarch
pki-tools-10.3.5-6.fc24.x86_64
pki-ca-10.3.5-6.fc24.noarch
pki-server-10.3.5-6.fc24.noarch

How can I regenerate and push the certificates for Dirsrv and HTTPD?

Thank you in advance,
Vlad