The TLS CACERT certificate has expired
This topic provides troubleshooting references and steps for resolving system errors when the TLS CACERT certificate has expired.
Description
When the system is configured with AD/LDAP and TLS, the TLS CACERT has expired after configuration, and the user is trying to run the keystone command, the system displays the following error:
[root@SSClusterNode3 ~]# openstack user list
ERROR: openstack An unexpected error prevented the server from fulfilling your request.
(HTTP 500) (Request-ID: req-dfd63d79-39e5-4c4a-951d-44b72e8fd9ef)
Logfile /var/log/keystone/keystone.log2045-01-14 10:50:40.809 30518
TRACE keystone.common.wsgi CONNECT_ERROR:
{'info': "TLS error -8162:The certificate issuer's certificate has expired.
Check your system date and time.", 'desc': 'Connect error'}
Note:
The log files for this error can be viewed in /var/log/keystone/keystone.log.
Cause
The system displays this error because the TLS CACERT certificate has expired.
Proposed workaround
- Obtain the updated TLS CACERT certificate on the system.
- Rerun the object authentication command.
Note:
Do not run the –idmapdelete command before you run the object authentication command.