Red Hat Summit26.5. Allowing IdM to Start with Expired Certificates
After the IdM administrative server certificates expire, most IdM services become inaccessible. You can configure the underlying Apache and LDAP services to allow SSL access to the services even if the certificates are expired.
If you allow limited access with expired certificates:
- Apache, Kerberos, DNS, and LDAP services will continue working. With these services active, users will be able to log in to the IdM domain.
- Client services that require SSL for access will still fail. For example,
sudowill fail because it requires SSSD on IdM clients, and SSSD needs SSL to contact IdM.
Important
This procedure is intended only as a temporary workaround. Renew the required certificates as quickly as possible, and then revert the described changes.
- Configure the
mod_nssmodule for the Apache server to not enforce valid certificates.- Open the
/etc/httpd/conf.d/nss.conffile. - Set the
NSSEnforceValidCertsparameter tooff:NSSEnforceValidCerts off
NSSEnforceValidCerts offCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Restart Apache.
systemctl restart httpd.service
# systemctl restart httpd.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Make sure that validity checks are disabled for the LDAP directory server. To do this, verify that the
nsslapd-validate-certattribute is set towarn:ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert
# ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warnCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the attribute is not set towarn, change it:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart the directory server.
systemctl restart dirsrv.target
# systemctl restart dirsrv.targetCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}