Hi,
On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> I deliberately set the server back 2 years, installed
Freeipa-Server,
and then
> synchronized the time back.The related service certificate expires.Verify
> this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
> But it didn't work out.
The workaround from the above documentation allows to start the LDAP server
and the Apache Server even with expired certificates but the other services
may suffer from expired certificates, too.
For instance, when you run ipa user-show command, this command contacts the
HTTP server, and the application running inside the HTTP server may need to
contact PKI server (for instance to retrieve certificate information for
the user). This connection between HTTP and PKI is authenticated using the
RA cert, which is also expired, and also needs to be secured using the PKI
server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all
the commands will work.
Hope this clarifies,
flo
> I confirm my modification:
> 1:less /etc/apache2/mods-enabled/nss.conf
> #add
> NSSEnforceValidCerts off
> 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389
-D
> "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base
> "(objectclass=*)" nsslapd-validate-cert
> dn: cn=config
> nsslapd-validate-cert: warn
> You have restarted all services and rebooted the server.However, the
result is still
> unable to use the relevant command
> root@ipa-test-65-198:/home# ipa user-find
> ipa: ERROR: cert validation failed for
> "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> ipa: ERROR: cannot connect to
> 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> What is the reason for this? Do I need to view or configure anything?For
guidance, thank
> you
> My system is ubuntu16.04 and freeipa 4.3
>
> /var/log/apache2/error
> [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid
140680101848832] SSL Library
> Error: -12269 The server has rejected your certificate as expired
>
> less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors
> [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow:
verify certificate
> failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
> [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version
range: min:
> TLS1.0, max: TLS1.2
> [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158
starting up
> [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled
schema-compat-plugin tree
> scan in about 5 seconds after the server startup!
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=groups,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=computers,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=ng,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
ou=sudoers,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=users,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember
rebuild
> membership,cn=tasks,cn=config does not exist
> [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which
should be added
> before the CoS Definition.
> [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin
tree scan will
> start in about 5 seconds!
> [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All
Interfaces port 389 for
> LDAP requests
> [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for
LDAPS requests
> [04/Jul/2022:17:23:08 +0800] - Listening on
/var/run/slapd-YYDEVOPS-COM.socket for LDAPI
> requests
> [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries
set up under
> ou=sudoers,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
> cn=ng, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
> cn=computers, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin
initialization
The document address
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure