> I deliberately set the server back 2 years, installed Freeipa-Server, and then
> synchronized the time back.The related service certificate expires.Verify
> this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
> But it didn't work out.
The workaround from the above documentation allows to start the LDAP server and the Apache Server even with expired certificates but the other services may suffer from expired certificates, too.
For instance, when you run ipa user-show command, this command contacts the HTTP server, and the application running inside the HTTP server may need to contact PKI server (for instance to retrieve certificate information for the user). This connection between HTTP and PKI is authenticated using the RA cert, which is also expired, and also needs to be secured using the PKI server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all the commands will work.
Hope this clarifies,
flo
> I confirm my modification:
> 1:less /etc/apache2/mods-enabled/nss.conf
> #add
> NSSEnforceValidCerts off
> 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D
> "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base
> "(objectclass=*)" nsslapd-validate-cert
> dn: cn=config
> nsslapd-validate-cert: warn
> You have restarted all services and rebooted the server.However, the result is still
> unable to use the relevant command
> root@ipa-test-65-198:/home# ipa user-find
> ipa: ERROR: cert validation failed for
> "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> ipa: ERROR: cannot connect to
> 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> What is the reason for this? Do I need to view or configure anything?For guidance, thank
> you
> My system is ubuntu16.04 and freeipa 4.3
>
> /var/log/apache2/error
> [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library
> Error: -12269 The server has rejected your certificate as expired
>
> less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors
> [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate
> failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
> [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min:
> TLS1.0, max: TLS1.2
> [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up
> [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree
> scan in about 5 seconds after the server startup!
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=groups,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=computers,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=ng,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=users,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild
> membership,cn=tasks,cn=config does not exist
> [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added
> before the CoS Definition.
> [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will
> start in about 5 seconds!
> [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for
> LDAP requests
> [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests
> [04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI
> requests
> [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under
> ou=sudoers,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under
> cn=ng, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under
> cn=computers, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization
The document address
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/expired-certs
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure