I deliberately set the server back 2 years, installed Freeipa-Server, and then synchronized the time back.The related service certificate expires.Verify this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... But it didn't work out. I confirm my modification: 1:less /etc/apache2/mods-enabled/nss.conf #add NSSEnforceValidCerts off 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn You have restarted all services and rebooted the server.However, the result is still unable to use the relevant command root@ipa-test-65-198:/home# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. What is the reason for this? Do I need to view or configure anything?For guidance, thank you My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library Error: -12269 The server has rejected your certificate as expired
less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added before the CoS Definition. [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests [04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI requests [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization
I deliberately set the server back 2 years, installed Freeipa-Server, and then synchronized the time back.The related service certificate expires.Verify this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin... But it didn't work out. I confirm my modification: 1:less /etc/apache2/mods-enabled/nss.conf #add NSSEnforceValidCerts off 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn You have restarted all services and rebooted the server.However, the result is still unable to use the relevant command root@ipa-test-65-198:/home# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. What is the reason for this? Do I need to view or configure anything?For guidance, thank you My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library Error: -12269 The server has rejected your certificate as expired
less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added before the CoS Definition. [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests [04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI requests [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization
The document address https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Hi,
On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I deliberately set the server back 2 years, installed Freeipa-Server,
and then
synchronized the time back.The related service certificate expires.Verify this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
But it didn't work out.
The workaround from the above documentation allows to start the LDAP server and the Apache Server even with expired certificates but the other services may suffer from expired certificates, too. For instance, when you run ipa user-show command, this command contacts the HTTP server, and the application running inside the HTTP server may need to contact PKI server (for instance to retrieve certificate information for the user). This connection between HTTP and PKI is authenticated using the RA cert, which is also expired, and also needs to be secured using the PKI server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all the commands will work. Hope this clarifies, flo
I confirm my modification: 1:less /etc/apache2/mods-enabled/nss.conf #add NSSEnforceValidCerts off 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389
-D
"cn=directory manager" -w directorypassxx -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn You have restarted all services and rebooted the server.However, the
result is still
unable to use the relevant command root@ipa-test-65-198:/home# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. What is the reason for this? Do I need to view or configure anything?For
guidance, thank
you My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid
140680101848832] SSL Library
Error: -12269 The server has rejected your certificate as expired
less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow:
verify certificate
failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.) [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version
range: min:
TLS1.0, max: TLS1.2 [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158
starting up
[04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled
schema-compat-plugin tree
scan in about 5 seconds after the server startup! [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
ou=sudoers,dc=yydevops,dc=com
does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=yydevops,dc=com
does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember
rebuild
membership,cn=tasks,cn=config does not exist [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which
should be added
before the CoS Definition. [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin
tree scan will
start in about 5 seconds! [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All
Interfaces port 389 for
LDAP requests [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for
LDAPS requests
[04/Jul/2022:17:23:08 +0800] - Listening on
/var/run/slapd-YYDEVOPS-COM.socket for LDAPI
requests [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries
set up under
ou=sudoers,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
cn=ng, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries
set up under
cn=computers, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin
initialization The document address
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi,
On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote:
The workaround from the above documentation allows to start the LDAP server and the Apache Server even with expired certificates but the other services may suffer from expired certificates, too. For instance, when you run ipa user-show command, this command contacts the HTTP server, and the application running inside the HTTP server may need to contact PKI server (for instance to retrieve certificate information for the user). This connection between HTTP and PKI is authenticated using the RA cert, which is also expired, and also needs to be secured using the PKI server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all the commands will work. Hope this clarifies, flo
Oh, I reviewed the documentation, and it is true, but it still doesn't solve the post-certificate fix problem, such as copying a new node.Thank you for your guidance
Hi,
On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote:
The workaround from the above documentation allows to start the LDAP server and the Apache Server even with expired certificates but the other services may suffer from expired certificates, too. For instance, when you run ipa user-show command, this command contacts the HTTP server, and the application running inside the HTTP server may need to contact PKI server (for instance to retrieve certificate information for the user). This connection between HTTP and PKI is authenticated using the RA cert, which is also expired, and also needs to be secured using the PKI server cert, which is also expired.
The workaround allows to start the services but does not guarantee that all the commands will work. Hope this clarifies, flo
Oh, I reviewed the documentation, and it is true, but it still doesn't solve the post-certificate fix problem, such as copying a new node.Thank you for your guidance
freeipa-users@lists.fedorahosted.org