[Freeipa-users] Re: ipa-replica-install (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired

rui liang via FreeIPA-users Wed, 08 Jun 2022 20:38:11 -0700
I copied the work on the master node of the valid CA, now the problem should be 
how to modify the child certificate outside the CA, CA certificate will not 
expire after 20 years by default, other certificates will expire after 2 years 
by default, if not renewed.I feel like I have all the access to this server. 
Why is it so hard to change the expiration date?Shouldn't let me set the system 
time, this is a high risk solution, huh?Or did I not find the correct 
modification document?
CA  There is no problem, the local operation of IPA-related commands is normal
root@fs-hiido-kerberos-21-117-149:/home/liangrui# getcert list | grep -E 'key 
pair storage|status|expires|principal'
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2021-08-30 11:23:07 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2021-08-30 11:23:06 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2021-08-30 11:23:07 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2039-09-10 11:23:06 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
        expires: 2021-08-30 11:23:25 UTC
        status: CA_UNREACHABLE
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        expires: 2021-08-30 11:23:06 UTC
        status: MONITORING
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt'
        expires: 2023-08-14 11:24:24 UTC
        principal name: 
ldap/fs-hiido-kerberos-21-117-149.hiido.host.yydevops....@yydevops.com
        status: MONITORING
        key pair storage: 
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
        expires: 2023-08-14 11:26:13 UTC
        principal name: 
HTTP/fs-hiido-kerberos-21-117-149.hiido.host.yydevops....@yydevops.com
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-replica-install (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired

Reply via email to
