We should document how to start the basic IPA services when the SSL certificates have expired so one can run in a degraded mode while the underlying problems are resolved.
In mod_nss set EnforceValidCerts to no and restart httpd
In 389-ds set nsslapd-validate-cert to warn in dse.ldif
Doing these should allow all Apache, Kerberos, named and 389-ds-base to come up so at least users can log in. Client services (e.g. sudo) that require SSL will still fail due to the expired server certificates.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=813382
Metadata Update from @rcritten:
- Issue assigned to elladeon
- Issue set to the milestone: FreeIPA 2.2.0 Documentation
to comment on this ticket.