Problems renewing expired OpenLDAP SSL Certificate
We went through the steps of revoking an SSL Certificate used by our OpenLDAP server and renewing it but we are unable to start slapd.
Here are the commands we used:
We got back that the certificate was expired but "OK"
openssl verify hostname_domain_com_cert.pem
We revoked the certificate we'd been using:
Revoking worked fine.
openssl ca -revoke /etc/ssl/certs/hostname_domain_com_cert.pem
We created the new Cert Request by passing it the key file as input:
We generated a new certificate using the newly created request file "newreq.pem"
openssl req -new -key hostname_domain_com_key.pem -out newreq.pem
We looked at our cn=config.ldif file and found the locations for the key and cert and placed the newly dated certificate in the needed path.
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
Still we are unable to start slapd with:
We get this message:
service slapd start
Here is what we found in /var/log/syslog
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).
Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
We are not sure what else to try. Any ideas?
Oct 23 20:18:25 ldap1 slapd: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Oct 23 20:18:25 ldap1 slapd: main: TLS init def ctx failed: -1
Oct 23 20:18:25 ldap1 slapd: slapd stopped.
Oct 23 20:18:25 ldap1 slapd: connections_destroy: nothing to destroy.