The TLS CACERT certificate has expired

This topic provides troubleshooting references and steps for resolving system errors when the TLS CACERT certificate has expired.

Description

When the system is configured with AD/LDAP and TLS, the TLS CACERT has expired after configuration, and the user is trying to run the keystone command, the system displays the following error:

[root@SSClusterNode3 ~]# openstack user list
ERROR: openstack An unexpected error prevented the server from fulfilling your request. 
(HTTP 500) (Request-ID: req-dfd63d79-39e5-4c4a-951d-44b72e8fd9ef) 
Logfile /var/log/keystone/keystone.log2045-01-14 10:50:40.809 30518 
TRACE keystone.common.wsgi CONNECT_ERROR: 
{'info': "TLS error -8162:The certificate issuer's certificate has expired. 
Check your system date and time.", 'desc': 'Connect error'}

Note:

The log files for this error can be viewed in /var/log/keystone/keystone.log.

Cause

The system displays this error because the TLS CACERT certificate has expired.

Proposed workaround

  1. Obtain the updated TLS CACERT certificate on the system.
  2. Rerun the object authentication command.
Note:

Do not run the –idmapdelete command before you run the object authentication command.

Parent topic: Object issues