> I deliberately set the server back 2 years, installed Freeipa-Server, and then
> synchronized the time back.The related service certificate expires.Verify
> this:https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
> But it didn't work out.
> I confirm my modification:
> 1:less /etc/apache2/mods-enabled/nss.conf
> #add
> NSSEnforceValidCerts off
> 2:root@ipa-test-65-198:/home/liangrui# ldapsearch -h $(hostname) -p 389 -D
> "cn=directory manager" -w directorypassxx -LLL -b cn=config -s base
> "(objectclass=*)" nsslapd-validate-cert
> dn: cn=config
> nsslapd-validate-cert: warn
> You have restarted all services and rebooted the server.However, the result
> is still
> unable to use the relevant command
> root@ipa-test-65-198:/home# ipa user-find
> ipa: ERROR: cert validation failed for
> "CN=ipa-test-65-198.hiido.host.yydevops.com,O=YYDEVOPS.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> ipa: ERROR: cannot connect to
> 'https://ipa-test-65-198.hiido.host.yydevops.com/ipa/json':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> What is the reason for this? Do I need to view or configure anything?For
> guidance, thank
> you
> My system is ubuntu16.04 and freeipa 4.3
>
> /var/log/apache2/error
> [Mon Jul 04 17:40:18.464189 2022] [:error] [pid 2942:tid 140680101848832] SSL
> Library
> Error: -12269 The server has rejected your certificate as expired
>
> less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors
> [04/Jul/2022:17:23:07 +0800] - SSL alert: CERT_VerifyCertificateNow: verify
> certificate
> failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config
> (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
> [04/Jul/2022:17:23:07 +0800] SSL Initialization - Configured SSL version
> range: min:
> TLS1.0, max: TLS1.2
> [04/Jul/2022:17:23:07 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up
> [04/Jul/2022:17:23:07 +0800] schema-compat-plugin - scheduled
> schema-compat-plugin tree
> scan in about 5 seconds after the server startup!
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=groups,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:07 +0800] NSACLPlugin - The ACL target
> cn=computers,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=ng,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> ou=sudoers,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=users,cn=compat,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=vaults,cn=kra,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target
> cn=ad,cn=etc,dc=yydevops,dc=com
> does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=yydevops,dc=com does not exist
> [04/Jul/2022:17:23:08 +0800] NSACLPlugin - The ACL target cn=automember
> rebuild
> membership,cn=tasks,cn=config does not exist
> [04/Jul/2022:17:23:08 +0800] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=yydevops,dc=com--no CoS Templates found, which should
> be added
> before the CoS Definition.
> [04/Jul/2022:17:23:08 +0800] schema-compat-plugin - schema-compat-plugin tree
> scan will
> start in about 5 seconds!
> [04/Jul/2022:17:23:08 +0800] - slapd started. Listening on All Interfaces
> port 389 for
> LDAP requests
> [04/Jul/2022:17:23:08 +0800] - Listening on All Interfaces port 636 for LDAPS
> requests
> [04/Jul/2022:17:23:08 +0800] - Listening on
> /var/run/slapd-YYDEVOPS-COM.socket for LDAPI
> requests
> [04/Jul/2022:17:23:12 +0800] schema-compat-plugin - warning: no entries set
> up under
> ou=sudoers,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set
> up under
> cn=ng, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - warning: no entries set
> up under
> cn=computers, cn=compat,dc=yydevops,dc=com
> [04/Jul/2022:17:23:13 +0800] schema-compat-plugin - Finished plugin
> initialization
The document address
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/expired-certs
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
