Dear all,
I am running a FreeIPA instance in our group at the university and, in
the past, replacing SSL certificates for LDAP/HTTPD hasn't been a
problem because I always updated them before they expired (they have to
be renewed every year).
This time, however, the certificates expired before I could renew them.
In addition, university decided to switch to a different CA.
The usual way of renewing certificates didn't work because I got a
"Peer's Certificate has expired." error.
I have read a lot of posts and potential solutions online and, following
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/proc_replacing-the-web-server-and-ldap-server-certificates-if-they-have-expired-in-the-whole-idm-deployment_configuring-and-managing-idm";
I managed to manually install the new CA root and intermediate
certificates as well as the LDAP/HTTP certificates into the NSS database
(they show up when using "certutil -d /etc/dirsrv/slapd-DOMAIN/ -L").
Problem: When trying to enroll the new certificates to LDAP storage
using "ipa-server-certinstall" I again/still see the familiar error
"The server certificate in privkey.pem, auth_full.pem is not valid:
certutil: certificate is invalid: Peer's Certificate has expired."
I assume this is because the old certificate (that the LDAP server is
still using) has expired but when setting back system time (which I have
also tried) the new certificate is not valid yet?!
Is the only solution to get a certificate somehow that overlaps both the
old and new validity periods or is there another way, e.g. by forcing
the certificate install by ignoring the expiry?
Thanks a lot in advance!
Andreas
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
