okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN=
ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' | grep Not
Not Before: Fri Jan 06 19:36:22 2023
Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <[email protected]>
wrote:
> Hi,
>
> On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <
> [email protected]> wrote:
>
>> [root @ ldap01]
>> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
>> Not Before: Jan 12 15:30:18 2024 GMT
>> Not After : Jan 11 15:30:18 2025 GMT
>>
> So httpd server cert is still valid.
>
>
>> also, am I looking at the correct one here?:
>> [root @ ldap01]
>> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> APP.UAAP.MAXAR.COM IPA CA CT,C,C
>>
> ^^ this one is IPA CA, not the server certificate for LDAP.
>
> CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
>> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
>> CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
>> CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
>> CN=Maxar Root CA,CN=Maxar,CN=com C,,
>> CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
>> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>>
>> [root @ ldap01]
>> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n '
>> APP.UAAP.MAXAR.COM IPA CA' | grep Not
>> Not Before: Thu Feb 02 14:06:44 2023
>> Not After : Mon Feb 02 14:06:44 2043
>>
> Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in
> the entry cn=RSA,cn=encryption,cn=config in the attribute
> nsSSLPersonalitySSL.
> For instance in my server I have:
>
> dn: cn=RSA,cn=encryption,cn=config
> cn: RSA
> modifiersName: cn=Directory Manager
> modifyTimestamp: 20220121155703Z
> nsSSLActivation: on
> *nsSSLPersonalitySSL: Server-Cert*
> nsSSLToken: internal (software)
> objectClass: top
> objectClass: nsEncryptionModule
>
> HTH,
> flo
>
>
> --
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
