On 12/22/2016 12:22 PM, Pablo Hinojosa wrote:
Hi all,

I have realized my Freeipa webui ssl certificate is near to expire. It
is supposed to auto-renew but it seems I am affected by this bug/defect
<https://fedorahosted.org/freeipa/ticket/5522> (maybe due to a
missconfigured installation). Here
<https://paste.fedoraproject.org/510994/14824011/> you can check current
status with getcert list.

My main priority is to know if LDAP login will work when certificated is
expired. Will I have problems with it? Will login blocked? or it will
work as expected.

Thanks for your support



Pablo Hinojosa
System administrator
Kanteron Systems (kanteron.com <http://kanteron.com>)

Hi Pablo,

(moving this discussion to freeipa-users).

you probably have other certificates already expired in your deployment (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in /etc/pki/pki-tomcat/alias and ipaCert in /etc/httpd/alias).

The best thing to do would be to fix this problem first, and the HTTPd and LDAP server certificates should be able to renew automatically.

The following document [1] may help you. The general idea is to find which certificate expired first, go back in time (by changing the date of your server) and manually renew the certificates.

If your LDAP and HTTP certificates are already expired, the documentation [2] explains how to start IPA stack and also lists the limitations when running with expired certificates.


[1] https://access.redhat.com/solutions/643753
[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/expired-certs.html

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to