I deliberately set the server back 2 years, installed Freeipa-Server,
and then
synchronized the time back.The related service certificate expires.Verify
this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
But it didn't work out.
I confirm my modification:
1:less /etc/apache2/mods-enabled/nss.conf
#add
NSSEnforceValidCerts off
2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D
"cn=directory manager" -w directorypassxx -LLL -b cn=config -s base
"(objectclass=*)" nsslapd-validate-cert
dn: cn=config
nsslapd-validate-cert: warn
You have restarted all services and rebooted the server.However, the result is still
unable to use the relevant command
root@ipa-test-65-198:/home# ipa user-find
ipa: ERROR: cert validation failed for
"CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
ipa: ERROR: cannot connect to
'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
What is the reason for this? Do I need to view or configure anything?For guidance, thank
you
My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error
[Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library
Error: -12269 The server has rejected your certificate as expired
less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors
[04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate
failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min:
TLS1.0, max: TLS1.2
[04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up
[04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
[04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com
does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=yydevops,dc=com
does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
[04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
[04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added
before the CoS Definition.
[04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will
start in about 5 seconds!
[04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for
LDAP requests
[04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests
[04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI
requests
[04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=yydevops,dc=com
[04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under
cn=ng, cn=compat,dc=yydevops,dc=com
[04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under
cn=computers, cn=compat,dc=yydevops,dc=com
[04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization