Classification: FMOS
Category: X.509 certificate usage or issue
Severity: Error
Summary
An certificate was encountered that is not yet valid.
Description
This error is reported by fmos pki import-cpl-cert when the supplied control panel certificate or one of the required intermediate CA certificates in the CA chain file is not yet valid.
Impact
When a server presents a certificate that is not yet valid to clients when they connect to it, the clients will refuse to communicate with the server.
Cause
Certificates include a range of dates during which they are valid. If the current date and time falls outside that range, clients will not communicate with that server.
Client machines typically use their internal system clock to determine the current date and time. If the system clock is not set correctly, client software may erroneously calculate that the control panel certificate is not yet valid.
Resolution 1
If the control panel is using a custom certificate signed by a certificate authority (either internal or public), a new certificate will need to be issued. Contact the certificate authority for instructions on how to obtain a certificate with an appropriate validity range.
Once the new certificate is available, it will need to be imported using fmos pki import-cpl-cert as usual:
fmos pki import-cpl-cert newcert.pem newcert.keyResolution 2
If the system clock is set incorrectly it will need to be corrected. FMOS requires NTP for time synchronization, so at least one NTP server must be configured on and reachable by all machines in the FMOS ecosystem.
Comments
0 comments
Article is closed for comments.