Classification: FMOS
Category: X.509 certificate usage or issue
Severity: Warning
Summary
An certificate was encountered that is not yet valid.
Description
This error is reported by fmos pki import-server-cert when the supplied server certificate or one of the required intermediate CA certificates in the CA chain file is not yet valid.
Impact
When a server presents a certificate that is not yet valid to clients when they connect to it, the clients will refuse to communicate with the server.
Cause
Certificates include a range of dates during which they are valid. If the current date and time falls outside that range, clients will not communicate with that server.
Client machines typically use their internal system clock to determine the current date and time. If the system clock is not set correctly, client software may erroneously calculate that the server certificate is not yet valid.
Resolution 1
If the server is using a custom certificate signed by a certificate authority (either internal or public), a new certificate will need to be issued. Contact the certificate authority for instructions on how to obtain a certificate with an appropriate validity range.
Once the new certificate is available, it will need to be imported using fmos pki import-server-cert as usual:
fmos pki import-server-cert newcert.pem newcert.key
Resolution 2
If the supplied file contains multiple certificates, one of the certificates in the file may have expired, which prevents any of the other certificates in the file from being processed. To resolve this issue, remove the supplied certificate from the file before attempting to import it.
Resolution 3
If the system clock is set incorrectly it will need to be corrected. FMOS requires NTP for time synchronization, so at least one NTP server must be configured on and reachable by all machines in the FMOS ecosystem.
Comments
0 comments
Article is closed for comments.