Andreas Bulling via FreeIPA-users wrote: > Dear all, > > I am running a FreeIPA instance in our group at the university and, in > the past, replacing SSL certificates for LDAP/HTTPD hasn't been a > problem because I always updated them before they expired (they have to > be renewed every year). > > This time, however, the certificates expired before I could renew them. > In addition, university decided to switch to a different CA. > > The usual way of renewing certificates didn't work because I got a > "Peer's Certificate has expired." error. > > I have read a lot of posts and potential solutions online and, following > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/proc_replacing-the-web-server-and-ldap-server-certificates-if-they-have-expired-in-the-whole-idm-deployment_configuring-and-managing-idm"; > I managed to manually install the new CA root and intermediate > certificates as well as the LDAP/HTTP certificates into the NSS database > (they show up when using "certutil -d /etc/dirsrv/slapd-DOMAIN/ -L"). > > Problem: When trying to enroll the new certificates to LDAP storage > using "ipa-server-certinstall" I again/still see the familiar error > > "The server certificate in privkey.pem, auth_full.pem is not valid: > certutil: certificate is invalid: Peer's Certificate has expired." > > I assume this is because the old certificate (that the LDAP server is > still using) has expired but when setting back system time (which I have > also tried) the new certificate is not valid yet?! > > Is the only solution to get a certificate somehow that overlaps both the > old and new validity periods or is there another way, e.g. by forcing > the certificate install by ignoring the expiry?
We need to know more about your installation. What version of IPA is this? Do you have the IPA CA installed or is this a CA-less installation? I can say that the fact that the CA chain changed is going to cause problems even once you get your IPA server back up unless your clients already trust the new chain. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
