Hi,
On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I deliberately set the server back 2 years, installed Freeipa-Server,
and then
synchronized the time back.The related service certificate expires.Verify this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
But it didn't work out.
The workaround from the above documentation allows to start the LDAP server and the Apache Server even with expired certificates but the other services may suffer from expired certificates, too. For instance, when you run ipa user-show command, this command contacts the HTTP server, and the application running inside the HTTP server may need to contact PKI server (for instance to retrieve certificate information for the user). This connection between HTTP and PKI is authenticated using the RA cert, which is also expired, and also needs to be secured using the PKI server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all the commands will work. Hope this clarifies, flo
I confirm my modification: 1:less /etc/apache2/mods-enabled/nss.conf #add NSSEnforceValidCerts off 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389
-D
"cn=directory manager" -w directorypassxx -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn You have restarted all services and rebooted the server.However, the
result is still
unable to use the relevant command root@ipa-test-65-198:/home# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. What is the reason for this? Do I need to view or configure anything?For
guidance, thank
you My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid
140680101848832] SSL Library
Error: -12269 The server has rejected your certificate as expired
less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow:
verify certificate
failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.) [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version
range: min:
TLS1.0, max: TLS1.2 [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158
starting up
[04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled
schema-compat-plugin tree
scan in about 5 seconds after the server startup! [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
ou=sudoers,dc=yydevops,dc=com
does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=yydevops,dc=com
does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember
rebuild
membership,cn=tasks,cn=config does not exist [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which
should be added
before the CoS Definition. [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin
tree scan will
start in about 5 seconds! [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All
Interfaces port 389 for
LDAP requests [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for
LDAPS requests
[04/Jul/2022:17:23:08 +0800] - Listening on
/var/run/slapd-YYDEVOPS-COM.socket for LDAPI
requests [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries
set up under
ou=sudoers,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
cn=ng, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
cn=computers, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin
initialization The document address
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure