Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
26.5. Allowing IdM to Start with Expired Certificates
After the IdM administrative server certificates expire, most IdM services become inaccessible. You can configure the underlying Apache and LDAP services to allow SSL access to the services even if the certificates are expired.
If you allow limited access with expired certificates:
- Apache, Kerberos, DNS, and LDAP services will continue working. With these services active, users will be able to log in to the IdM domain.
- Client services that require SSL for access will still fail. For example,
sudowill fail because it requires SSSD on IdM clients, and SSSD needs SSL to contact IdM.
Important
This procedure is intended only as a temporary workaround. Renew the required certificates as quickly as possible, and then revert the described changes.
- Configure the
mod_nssmodule for the Apache server to not enforce valid certificates.- Open the
/etc/httpd/conf.d/nss.conffile. - Set the
NSSEnforceValidCertsparameter tooff:Copy to Clipboard Copied! Toggle word wrap Toggle overflow NSSEnforceValidCerts off
NSSEnforceValidCerts off
- Restart Apache.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart httpd.service
# systemctl restart httpd.service - Make sure that validity checks are disabled for the LDAP directory server. To do this, verify that the
nsslapd-validate-certattribute is set towarn:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert
# ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert dn: cn=config nsslapd-validate-cert: warnIf the attribute is not set towarn, change it:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
# ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com dn: cn=config changetype: modify replace: nsslapd-validate-cert nsslapd-validate-cert: warn - Restart the directory server.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart dirsrv.target
# systemctl restart dirsrv.target
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}