26.5. Allowing IdM to Start with Expired Certificates
After the IdM administrative server certificates expire, most IdM services become inaccessible. You can configure the underlying Apache and LDAP services to allow SSL access to the services even if the certificates are expired.
If you allow limited access with expired certificates:
- Apache, Kerberos, DNS, and LDAP services will continue working. With these services active, users will be able to log in to the IdM domain.
- Client services that require SSL for access will still fail. For example,
sudo
will fail because it requires SSSD on IdM clients, and SSSD needs SSL to contact IdM.
Important
This procedure is intended only as a temporary workaround. Renew the required certificates as quickly as possible, and then revert the described changes.
- Configure the
mod_nss
module for the Apache server to not enforce valid certificates.- Open the
/etc/httpd/conf.d/nss.conf
file. - Set the
NSSEnforceValidCerts
parameter tooff
:NSSEnforceValidCerts off
- Restart Apache.
# systemctl restart httpd.service
- Make sure that validity checks are disabled for the LDAP directory server. To do this, verify that the
nsslapd-validate-cert
attribute is set towarn
:# ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warn
If the attribute is not set towarn
, change it:# ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com dn: cn=config changetype: modify replace: nsslapd-validate-cert nsslapd-validate-cert: warn
- Restart the directory server.
# systemctl restart dirsrv.target