Update OpenLDAP SSL certificate on CentOS 6

~ Leo Petrazickis

You may need to update your OpenLDAP SSL certificate, as well as the CA certificate and signing key on a regular basis. I ran into an issue that was ultimately resolved by doing that.

Connections to an OpenLDAP server I administer stopped working with this error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The server itself was up and the relevant ports were accessible. In fact, unencrypted LDAP continued to work while LDAPS saw the error above.

I restarted slapd with -d 255 flag (-d 8 is sufficient for this error) and started seeing this error:

TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available TLS: can't create ssl handle.

At the start of the log, I saw several related errors including this one:

... is not valid - error -8181:Peer's Certificate has expired..

Ultimately this meant that I had to replace not just my certificate but also the CA certificate and the signing key in OpenLDAP’s moznss database. I believe my CA’s certificate had to be replaced because of the SHA1 retirement last year.

The steps I had to follow were surprisingly involved and undocumented:

  • Upload the new certificates to /etc/openldap/ssl
  • cd /etc/openldap/certs
  • List the existing certificates in the database:
certutil -L -d .
  • Remove the existing certs:
certutil -D -d . -n "OpenLDAP Server"

certutil -D -d . -n "My CA Certificate"
  • Load the new OpenLDAP SSL certificate and CA certificate:
certutil -A -n "OpenLDAP Server" -t CTu,u,u -d . -a -i ../ssl/my_certificate.bundle.crt

certutil -A -n "My CA Certificate" -t CT,C,c -d . -a -i ../ssl/my_CA_certificate.intermediate.crt
  • Verify:
certutil -L -d .
  • Convert the key to pkcs12 format:
openssl pkcs12 -export -out ../ssl/my_certificate.key.pkcs12 -inkey ../ssl/my_certificate.key -in ../ssl/my_certificate.bundle.crt -certfile ../ssl/my_CA_certificate.intermediate.crt
  • Import the signing key:
pk12util -i ../ssl/my_certificate.key.pkcs12 -d .

# Database password is in /etc/openssl/certs/password

# Key password is what you set above
  • Restart slapd:
service slapd restart

I hope that’s enough to help anyone facing the same problem on CentOS, RHEL, Fedora, and possibly other distros.

See Also

Published by Leo Petrazickis

I’m a Principal Engineer at Upgrade. I do Go, Observability, and many other fun things.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.