### Request for enhancement ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired
At present, it is an online operation, so I dare not change the configuration at will.I tried to modify Linux times on the test environment, but there were some unexpected risks.Don't dare change the time online like this.Is there a good way to renew it?Thank you very much #### Steps to Reproduce root@fs-ambari-server:~# ipa host-add fs-hiido-alluxio-12-65-100.hiido.host.yydevops.com ipa: ERROR: cert validation failed for "CN=fs-hiido-kerberos-server02.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. root@fs-ambari-server:~# root@fs-ambari-server:~# root@fs-ambari-server:~# cat /tmp/kinit_trace [61194] 1653916457.285087: ccselect module realm chose cache KEYRING:persistent:0:0 with client principal [email protected] for server principal HTTP/[email protected] [61194] 1653916457.285138: Getting credentials [email protected] -> HTTP/[email protected] using ccache KEYRING:persistent:0:0 [61194] 1653916457.285216: Retrieving [email protected] -> HTTP/[email protected] from KEYRING:persistent:0:0 with result: 0/Success [61194] 1653916457.285253: Creating authenticator for [email protected] -> HTTP/[email protected], seqnum 746871073, subkey aes256-cts/24EC, session key aes256-cts/BFE5 ssh [email protected] root@fs-hiido-kerberos-server02:/var/log/ipa# ipa-getcert list Number of certificates and requests being tracked: 4. Request ID '20200528083036': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv YYDEVOPS-COM track: yes auto-renew: yes Request ID '20200528083056': status: CA_UNREACHABLE ca-error: Server at https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/fs-hiido-kerberos-server02.hiido.host.yydevops.com-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=fs-hiido-kerberos-server02.hiido.host.yydevops.com,O=YYDEVOPS.COM expires: 2022-05-29 16:31:00 CST dns: fs-hiido-kerberos-server02.hiido.host.yydevops.com principal name: HTTP/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes #### Version/Release/Distribution root@fs-hiido-kerberos-server02:/var/log/ipa# ipa --version VERSION: 4.8.6, API_VERSION: 2.236 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
