Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

26.5. Allowing IdM to Start with Expired Certificates

After the IdM administrative server certificates expire, most IdM services become inaccessible. You can configure the underlying Apache and LDAP services to allow SSL access to the services even if the certificates are expired.
If you allow limited access with expired certificates:
  • Apache, Kerberos, DNS, and LDAP services will continue working. With these services active, users will be able to log in to the IdM domain.
  • Client services that require SSL for access will still fail. For example, sudo will fail because it requires SSSD on IdM clients, and SSSD needs SSL to contact IdM.
This procedure is intended only as a temporary workaround. Renew the required certificates as quickly as possible, and then revert the described changes.
  1. Configure the mod_nss module for the Apache server to not enforce valid certificates.
    1. Open the /etc/httpd/conf.d/nss.conf file.
    2. Set the NSSEnforceValidCerts parameter to off:
      NSSEnforceValidCerts off
  2. Restart Apache.
    # systemctl restart httpd.service
  3. Make sure that validity checks are disabled for the LDAP directory server. To do this, verify that the nsslapd-validate-cert attribute is set to warn:
    # ldapsearch -h -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert
    dn: cn=config
    nsslapd-validate-cert: warn
    If the attribute is not set to warn, change it:
    # ldapmodify -D "cn=directory manager" -w secret -p 389 -h
    dn: cn=config
    changetype: modify
    replace: nsslapd-validate-cert
    nsslapd-validate-cert: warn
  4. Restart the directory server.
    # systemctl restart