[Freeipa-users] [Freeipa-devel] Certificate expiration consequences
Florence Blanc-Renaud
flo at redhat.com
Thu Dec 22 13:54:29 UTC 2016
On 12/22/2016 12:22 PM, Pablo Hinojosa wrote:
> Hi all,
>
> I have realized my Freeipa webui ssl certificate is near to expire. It
> is supposed to auto-renew but it seems I am affected by this bug/defect
> <https://fedorahosted.org/freeipa/ticket/5522> (maybe due to a
> missconfigured installation). Here
> <https://paste.fedoraproject.org/510994/14824011/> you can check current
> status with getcert list.
>
> My main priority is to know if LDAP login will work when certificated is
> expired. Will I have problems with it? Will login blocked? or it will
> work as expected.
>
> Thanks for your support
>
> Cheers,
>
> --
>
> Pablo Hinojosa
> System administrator
> Kanteron Systems (kanteron.com <http://kanteron.com>)
>
>
>
Hi Pablo,
(moving this discussion to freeipa-users).
you probably have other certificates already expired in your deployment
(auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca,
subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in
/etc/pki/pki-tomcat/alias and ipaCert in /etc/httpd/alias).
The best thing to do would be to fix this problem first, and the HTTPd
and LDAP server certificates should be able to renew automatically.
The following document [1] may help you. The general idea is to find
which certificate expired first, go back in time (by changing the date
of your server) and manually renew the certificates.
If your LDAP and HTTP certificates are already expired, the
documentation [2] explains how to start IPA stack and also lists the
limitations when running with expired certificates.
HTH,
Flo.
[1] https://access.redhat.com/solutions/643753
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/expired-certs.html
More information about the Freeipa-users
mailing list