From c960adcd40f5c50fff2df354f7b659f1f5ca462d Mon Sep 17 00:00:00 2001 From: Heiko Pohl Date: Fri, 20 Mar 2026 10:17:53 +0100 Subject: [PATCH 1/2] common issue Internal LibreIDM cert expires --- docs/admin/resources/common-issues.md | 39 +++++++++++++++++++ .../admin/resources/common-issues.md | 39 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/docs/admin/resources/common-issues.md b/docs/admin/resources/common-issues.md index 0c5b28af..98c47515 100644 --- a/docs/admin/resources/common-issues.md +++ b/docs/admin/resources/common-issues.md @@ -144,3 +144,42 @@ sudo docker run -it --rm -v opencloud-compose_opencloud-data:/var/lib/opencloud ```bash docker compose up -d ``` + +## Internal LibreIDM cert expires + +### 🔧 Renewing an expired certificate in internal IDM (OpenCloud) + +When using the internal IDM (LibreIDM), the LDAP certificate may expire over time. + +#### 🛠️ Solution + +Navigate to the IDM directory + +```bash +cd .opencloud/idm +``` + +Delete the old certificates + +```bash +rm ldap.crt ldap.key + +Directory structure: + +.opencloud/idm +├── idm.boltdb +├── ldap.crt +└── ldap.key +``` + +Restart the OpenCloud container + +```bash +docker compose restart +``` + +➡️ The certificates will be automatically regenerated on restart. + +#### ⚠️ Recommendation + +Admins should avoid using LibreIDM in production and use OpenLDAP instead. diff --git a/versioned_docs/version-4.0/admin/resources/common-issues.md b/versioned_docs/version-4.0/admin/resources/common-issues.md index 0c5b28af..98c47515 100644 --- a/versioned_docs/version-4.0/admin/resources/common-issues.md +++ b/versioned_docs/version-4.0/admin/resources/common-issues.md @@ -144,3 +144,42 @@ sudo docker run -it --rm -v opencloud-compose_opencloud-data:/var/lib/opencloud ```bash docker compose up -d ``` + +## Internal LibreIDM cert expires + +### 🔧 Renewing an expired certificate in internal IDM (OpenCloud) + +When using the internal IDM (LibreIDM), the LDAP certificate may expire over time. + +#### 🛠️ Solution + +Navigate to the IDM directory + +```bash +cd .opencloud/idm +``` + +Delete the old certificates + +```bash +rm ldap.crt ldap.key + +Directory structure: + +.opencloud/idm +├── idm.boltdb +├── ldap.crt +└── ldap.key +``` + +Restart the OpenCloud container + +```bash +docker compose restart +``` + +➡️ The certificates will be automatically regenerated on restart. + +#### ⚠️ Recommendation + +Admins should avoid using LibreIDM in production and use OpenLDAP instead. From b1b7c86f960d653cd45f56902af37ffaf9225e8a Mon Sep 17 00:00:00 2001 From: Heiko Pohl Date: Fri, 20 Mar 2026 10:27:38 +0100 Subject: [PATCH 2/2] refining text --- docs/admin/resources/common-issues.md | 14 ++++++++++++++ .../version-4.0/admin/resources/common-issues.md | 16 ++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/docs/admin/resources/common-issues.md b/docs/admin/resources/common-issues.md index 98c47515..43a44a35 100644 --- a/docs/admin/resources/common-issues.md +++ b/docs/admin/resources/common-issues.md @@ -150,6 +150,20 @@ docker compose up -d ### 🔧 Renewing an expired certificate in internal IDM (OpenCloud) When using the internal IDM (LibreIDM), the LDAP certificate may expire over time. +You can see similar errormessages in your logfiles: + +```bash +opencloud-1 | 2026-03-10T14:10:36Z WRN core access token not set host.name=3133c92656c8 pkg=rhttp service=frontend traceid=2da2886cf47f0143876953ee33f814a9 +opencloud-1 | 2026-03-10T14:10:36Z ERR failed to build subject.session error="invalid key format" service=proxy +opencloud-1 | 2026-03-10T14:10:36Z ERR handleConnection ber.ReadPacket error="remote error: tls: bad certificate" service=idm +opencloud-1 | 2026-03-10T14:10:37Z ERR could not get ldap Connection error="LDAP Result Code 200 \"Network Error\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-03-10T14:10:37Z is after 2026-03-04T10:02:39Z" service=graph +opencloud-1 | 2026-03-10T14:10:37Z ERR failed to add user error="LDAP Result Code 200 \"Network Error\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-03-10T14:10:37Z is after 2026-03-04T10:02:39Z" request-id=3133c92656c8/LlC0SVlYb4-000023 service=graph +opencloud-1 | 2026-03-10T14:10:37Z ERR handleConnection ber.ReadPacket error="remote error: tls: bad certificate" service=idm +opencloud-1 | 2026-03-10T14:10:37Z ERR could not create user: backend error error="generalException: failed to add user" request-id=3133c92656c8/LlC0SVlYb4-000023 service=graph +opencloud-1 | 2026-03-10T14:10:37Z WRN Error Response OData Error="failed to add user" service=proxy +opencloud-1 | 2026-03-10T14:10:37Z ERR Error creating user error="500 Internal Server Error" service=proxy +opencloud-1 | 2026-03-10T14:10:37Z ERR Autoprovisioning user failed error="500 Internal Server Error" service=proxy +``` #### 🛠️ Solution diff --git a/versioned_docs/version-4.0/admin/resources/common-issues.md b/versioned_docs/version-4.0/admin/resources/common-issues.md index 98c47515..7946b497 100644 --- a/versioned_docs/version-4.0/admin/resources/common-issues.md +++ b/versioned_docs/version-4.0/admin/resources/common-issues.md @@ -150,6 +150,22 @@ docker compose up -d ### 🔧 Renewing an expired certificate in internal IDM (OpenCloud) When using the internal IDM (LibreIDM), the LDAP certificate may expire over time. +You can see similar errormessages in your logfiles: + +```bash +Errormassage: + +opencloud-1 | 2026-03-10T14:10:36Z WRN core access token not set host.name=3133c92656c8 pkg=rhttp service=frontend traceid=2da2886cf47f0143876953ee33f814a9 +opencloud-1 | 2026-03-10T14:10:36Z ERR failed to build subject.session error="invalid key format" service=proxy +opencloud-1 | 2026-03-10T14:10:36Z ERR handleConnection ber.ReadPacket error="remote error: tls: bad certificate" service=idm +opencloud-1 | 2026-03-10T14:10:37Z ERR could not get ldap Connection error="LDAP Result Code 200 \"Network Error\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-03-10T14:10:37Z is after 2026-03-04T10:02:39Z" service=graph +opencloud-1 | 2026-03-10T14:10:37Z ERR failed to add user error="LDAP Result Code 200 \"Network Error\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-03-10T14:10:37Z is after 2026-03-04T10:02:39Z" request-id=3133c92656c8/LlC0SVlYb4-000023 service=graph +opencloud-1 | 2026-03-10T14:10:37Z ERR handleConnection ber.ReadPacket error="remote error: tls: bad certificate" service=idm +opencloud-1 | 2026-03-10T14:10:37Z ERR could not create user: backend error error="generalException: failed to add user" request-id=3133c92656c8/LlC0SVlYb4-000023 service=graph +opencloud-1 | 2026-03-10T14:10:37Z WRN Error Response OData Error="failed to add user" service=proxy +opencloud-1 | 2026-03-10T14:10:37Z ERR Error creating user error="500 Internal Server Error" service=proxy +opencloud-1 | 2026-03-10T14:10:37Z ERR Autoprovisioning user failed error="500 Internal Server Error" service=proxy +``` #### 🛠️ Solution