Category: X.509 certificate usage or issue
An expired certificate was encountered.
This error is reported by fmos pki import-server-cert when the supplied server certificate or one of the required intermediate CA certificates in the CA chain file has expired.
When a server presents a certificate that has expired to clients when they connect to it, the clients will refuse to communicate with the server.
Certificates include a range of dates during which they are valid. If the current date and time falls outside that range, clients will not communicate with that server.
Client machines typically use their internal system clock to determine the current date and time. If the system clock is not set correctly, client software may erroneously calculate that the server certificate has expired.
If the server is using the default self-signed certificate managed by FMOS, the system will automatically renew the expired certificate the next time the FMOS configuration policy is applied.
To apply the configuration policy, execute the fmos redeploy command:
If this machine is part of a multi-server ecosystem and has subordinate servers, the new certificate will need to be distributed to all of the subordinate machines.
Export the new certificate to a file:
fmos pki export-server-cert --no-key newcert.pem
Copy the generated file to each subordinate machine (e.g. using SFTP)
Import the new certificate into the CA trust store on each of the subordinate machines:
fmos pki import-ca newcert.pem
The argument (newcert.pem in the above example) must be the path to the certificate exported on the superior server in step 1.
If the server is using a custom certificate signed by a certificate authority (either internal or public), a new certificate will need to be issued. Contact the certificate authority for instructions on how to obtain a renewed certificate.
Once the new certificate is available, it will need to be imported using fmos pki import-server-cert as usual:
fmos pki import-server-cert newcert.pem newcert.key
If the system clock is set incorrectly it will need to be corrected. FMOS requires NTP for time synchronization, so at least one NTP server must be configured on and reachable by all machines in the FMOS ecosystem.