I deliberately set the server back 2 years, installed Freeipa-Server, and then synchronized the time back.The related service certificate expires.Verify this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/expired-certs But it didn't work out. I confirm my modification: 1:less /etc/apache2/mods-enabled/nss.conf #add NSSEnforceValidCerts off 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn You have restarted all services and rebooted the server.However, the result is still unable to use the relevant command root@ipa-test-65-198:/home# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. What is the reason for this? Do I need to view or configure anything?For guidance, thank you My system is ubuntu16.04 and freeipa 4.3
/var/log/apache2/error [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL Library Error: -12269 The server has rejected your certificate as expired less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should be added before the CoS Definition. [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS requests [04/Jul/2022:17:23:08 +0800] - Listening on /var/run/slapd-YYDEVOPS-COM.socket for LDAPI requests [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=yydevops,dc=com [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin initialization _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
