26.5. Allowing IdM to Start with Expired Certificates

After the IdM administrative server certificates expire, most IdM services become inaccessible. You can configure the underlying Apache and LDAP services to allow SSL access to the services even if the certificates are expired.
If you allow limited access with expired certificates:
  • Apache, Kerberos, DNS, and LDAP services will continue working. With these services active, users will be able to log in to the IdM domain.
  • Client services that require SSL for access will still fail. For example, sudo will fail because it requires SSSD on IdM clients, and SSSD needs SSL to contact IdM.

Important

This procedure is intended only as a temporary workaround. Renew the required certificates as quickly as possible, and then revert the described changes.
  1. Configure the mod_nss module for the Apache server to not enforce valid certificates.
    1. Open the /etc/httpd/conf.d/nss.conf file.
    2. Set the NSSEnforceValidCerts parameter to off: 
      NSSEnforceValidCerts off
  2. Restart Apache. 
    # systemctl restart httpd.service
  3. Make sure that validity checks are disabled for the LDAP directory server. To do this, verify that the nsslapd-validate-cert attribute is set to warn: 
    # ldapsearch -h server.example.com -p 389 -D "cn=directory manager" -w secret -LLL -b cn=config -s base "(objectclass=*)" nsslapd-validate-cert

dn: cn=config
nsslapd-validate-cert: warn
    If the attribute is not set to warn, change it: 
    # ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
	
dn: cn=config
changetype: modify
replace: nsslapd-validate-cert
nsslapd-validate-cert: warn
  4. Restart the directory server. 
    # systemctl restart dirsrv.target