[Freeipa-users] Re: SSL Library Error: -12269 The server has rejected your certificate as expired

> I deliberately set the server back 2 years, installed Freeipa-Server, and then > synchronized the time back.The related service certificate expires.Verify > this: https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin... > But it didn't work out.

> I confirm my modification: > 1:less /etc/apache2/mods-enabled/nss.conf > #add > NSSEnforceValidCerts off > 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D > "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base > "(objectclass=*)" nsslapd-validate-cert > dn: cn=config > nsslapd-validate-cert: warn > You have restarted all services and rebooted the server.However, the result is still > unable to use the relevant command > root@ipa-test-65-198:/home# ipa user-find > ipa: ERROR: cert validation failed for > "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > ipa: ERROR: cannot connect to > 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > What is the reason for this? Do I need to view or configure anything?For guidance, thank > you > My system is ubuntu16.04 and freeipa 4.3 > > /var/log/apache2/error > [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library > Error: -12269 The server has rejected your certificate as expired > > less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors > [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate > failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min: > TLS1.0, max: TLS1.2 > [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up > [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree > scan in about 5 seconds after the server startup! > [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target > cn=groups,cn=compat,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target > cn=computers,cn=compat,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=ng,cn=compat,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com > does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=users,cn=compat,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=yydevops,dc=com > does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist > [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild > membership,cn=tasks,cn=config does not exist > [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added > before the CoS Definition. > [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will > start in about 5 seconds! > [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for > LDAP requests > [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests > [04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI > requests > [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under > ou=sudoers,dc=yydevops,dc=com > [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under > cn=ng, cn=compat,dc=yydevops,dc=com > [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under > cn=computers, cn=compat,dc=yydevops,dc=com > [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization The document address https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure