Monday, December 10, 2018

How do I renew an expired Ubuntu OpenLDAP SSL Certificate



We went through the steps of revoking an SSL Certificate used by our OpenLDAP server and renewing it but we are unable to start slapd.




Here are the commands we used:




  openssl verify hostname_domain_com_cert.pem


We got back that the certificate was expired but "OK"



We revoked the certificate we'd been using:





  openssl ca -revoke /etc/ssl/certs/hostname_domain_com_cert.pem


Revoking worked fine.



We created the new Cert Request by passing it the key file as input:




  openssl req -new -key hostname_domain_com_key.pem -out newreq.pem



We generated a new certificate using the newly created request file "newreq.pem"




  openssl ca  -policy policy_anything -out newcert.pem -infiles newreq.pem


We looked at our cn=config.ldif file and found the locations for the key and cert and placed the newly dated certificate in the needed path.




Still we are unable to start slapd with:




  service slapd start


We get this message:




Starting OpenLDAP: slapd - failed.

The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
  slapd -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/



Here is what we found in /var/log/syslog




Oct 23 20:18:25 ldap1 slapd[2710]: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Oct 23 20:18:25 ldap1 slapd[2710]: main: TLS init def ctx failed: -1
Oct 23 20:18:25 ldap1 slapd[2710]: slapd stopped.
Oct 23 20:18:25 ldap1 slapd[2710]: connections_destroy: nothing to destroy.



After generating a new ldap1 key/cert pair now we get this whenever we try to start slapd




Oct 24 08:38:12 ldap1 slapd[5461]: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Oct 24 08:38:12 ldap1 slapd[5463]: hdb_db_open: database "cn=accesslog" cannot be opened, err 13. Restore from backup!
Oct 24 08:38:12 ldap1 slapd[5463]: bdb(cn=accesslog): txn_checkpoint interface requires an environment configured for the transaction subsystem
Oct 24 08:38:12 ldap1 slapd[5463]: bdb_db_close: database "cn=accesslog": txn_checkpoint failed: Invalid argument (22).
Oct 24 08:38:12 ldap1 slapd[5463]: backend_startup_one (type=hdb, suffix="cn=accesslog"): bi_db_open failed! (13)
Oct 24 08:38:13 ldap1 slapd[5463]: bdb_db_close: database "cn=accesslog": alock_close failed
Oct 24 08:38:13 ldap1 slapd[5463]: slapd stopped.



Should we try to restore ldap from backup?


Answer



Two things done to fix this...1) Create a new key/cert pair for the ldap1 server. 2) restore LDAP from a recent ** slapcat ** b/u.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...