On 12/22/2016 12:22 PM, Pablo Hinojosa wrote:
I have realized my Freeipa webui ssl certificate is near to expire. It
is supposed to auto-renew but it seems I am affected by this bug/defect
<https://fedorahosted.org/freeipa/ticket/5522> (maybe due to a
missconfigured installation). Here
<https://paste.fedoraproject.org/510994/14824011/> you can check current
status with getcert list.
My main priority is to know if LDAP login will work when certificated is
expired. Will I have problems with it? Will login blocked? or it will
work as expected.
Thanks for your support
Kanteron Systems (kanteron.com <http://kanteron.com>)
(moving this discussion to freeipa-users).
you probably have other certificates already expired in your deployment
(auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca,
subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in
/etc/pki/pki-tomcat/alias and ipaCert in /etc/httpd/alias).
The best thing to do would be to fix this problem first, and the HTTPd
and LDAP server certificates should be able to renew automatically.
The following document  may help you. The general idea is to find
which certificate expired first, go back in time (by changing the date
of your server) and manually renew the certificates.
If your LDAP and HTTP certificates are already expired, the
documentation  explains how to start IPA stack and also lists the
limitations when running with expired certificates.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project