[Freeipa-users] [Freeipa-devel] Certificate expiration consequences

[Florence Blanc-Renaud]

On 12/22/2016 12:22 PM, Pablo Hinojosa wrote:
> Hi all,
>
> I have realized my Freeipa webui ssl certificate is near to expire. It
> is supposed to auto-renew but it seems I am affected by this bug/defect
> <https://fedorahosted.org/freeipa/ticket/5522> (maybe due to a
> missconfigured installation). Here
> <https://paste.fedoraproject.org/510994/14824011/> you can check current
> status with getcert list.
>
> My main priority is to know if LDAP login will work when certificated is
> expired. Will I have problems with it? Will login blocked? or it will
> work as expected.
>
> Thanks for your support
>
> Cheers,
>
> --
>
> Pablo Hinojosa
> System administrator
> Kanteron Systems (kanteron.com <http://kanteron.com>)
>
>
>
Hi Pablo,

(moving this discussion to freeipa-users).

you probably have other certificates already expired in your deployment 
(auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, 
subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in 
/etc/pki/pki-tomcat/alias and ipaCert in /etc/httpd/alias).

The best thing to do would be to fix this problem first, and the HTTPd 
and LDAP server certificates should be able to renew automatically.

The following document [1] may help you. The general idea is to find 
which certificate expired first, go back in time (by changing the date 
of your server) and manually renew the certificates.

If your LDAP and HTTP certificates are already expired, the 
documentation [2] explains how to start IPA stack and also lists the 
limitations when running with expired certificates.

HTH,
Flo.


[1] https://access.redhat.com/solutions/643753
[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/expired-certs.html