You may need to update your OpenLDAP SSL certificate, as well as the CA certificate and signing key on a regular basis. I ran into an issue that was ultimately resolved by doing that.
Connections to an OpenLDAP server I administer stopped working with this error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server itself was up and the relevant ports were accessible. In fact, unencrypted LDAP continued to work while LDAPS saw the error above.
I restarted slapd with -d 255 flag (-d 8 is sufficient for this error) and started seeing this error:
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available TLS: can't create ssl handle.
At the start of the log, I saw several related errors including this one:
... is not valid - error -8181:Peer's Certificate has expired..
Ultimately this meant that I had to replace not just my certificate but also the CA certificate and the signing key in OpenLDAP’s moznss database. I believe my CA’s certificate had to be replaced because of the SHA1 retirement last year.
The steps I had to follow were surprisingly involved and undocumented:
- Upload the new certificates to /etc/openldap/ssl
- cd /etc/openldap/certs
- List the existing certificates in the database:
certutil -L -d .
- Remove the existing certs:
certutil -D -d . -n "OpenLDAP Server"
certutil -D -d . -n "My CA Certificate"
- Load the new OpenLDAP SSL certificate and CA certificate:
certutil -A -n "OpenLDAP Server" -t CTu,u,u -d . -a -i ../ssl/my_certificate.bundle.crt
certutil -A -n "My CA Certificate" -t CT,C,c -d . -a -i ../ssl/my_CA_certificate.intermediate.crt
certutil -L -d .
- Convert the key to pkcs12 format:
openssl pkcs12 -export -out ../ssl/my_certificate.key.pkcs12 -inkey ../ssl/my_certificate.key -in ../ssl/my_certificate.bundle.crt -certfile ../ssl/my_CA_certificate.intermediate.crt
pk12util -i ../ssl/my_certificate.key.pkcs12 -d .
# Database password is in /etc/openssl/certs/password
# Key password is what you set above
service slapd restart
I hope that’s enough to help anyone facing the same problem on CentOS, RHEL, Fedora, and possibly other distros.