Bug 733440

Summary: [RFE] add option to allow server to start with an expired certificate
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2CC: amsharma, benl, dpal, edewata, jgalipea, nhosoi, nkinder, rcritten, rmeggins
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.9.8-1.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 728592 Environment:
Last Closed: 2011-12-06 17:56:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 728592    
Bug Blocks: 690318, 728950    

Description Rich Megginson 2011-08-25 17:37:44 UTC 
This was fixed after 1.2.9.6 so not included in the rebase, so it has been cloned.

+++ This bug was initially created as a clone of Bug #728592 +++

Description of problem:

389-ds is the heart of IPA and in order to renew any certificate it needs to be up and running. We therefore need an option in dse.ldif to allow 389-ds to launch even if its certificate is expired, understanding that proper SSL clients will not communicate with it.

This relates to IPA ticket https://fedorahosted.org/freeipa/ticket/1576

--- Additional comment from rmeggins on 2011-08-08 11:33:46 EDT ---

What is the severity?  What is the timeframe you need a solution by?
also see my comments in the ticket

--- Additional comment from nkinder on 2011-08-23 17:25:14 EDT ---

Created attachment 519524 [details]
Patch

--- Additional comment from nkinder on 2011-08-23 17:46:21 EDT ---

Pushed patch to master.  Thanks to Noriko and Rich for their reviews!

Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.09 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   96663b0..971dded  master -> master

--- Additional comment from nkinder on 2011-08-23 17:50:40 EDT ---

Pushed patch to 389-ds-base-1.2.9 branch:

Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.09 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   c0b0ef8..5ff4af3  129-local -> 389-ds-base-1.2.9
Comment 2 Amita Sharma 2011-10-13 09:42:48 UTC 
Bug test is automated under SSL test suit and test cases are passing hence marking as VERIFIED.
Comment 3 errata-xmlrpc 2011-12-06 17:56:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1711.html