Windl, Ulrich wrote:
> Hi!
> 
> I have a related question: I replaced our certificate with a refreshed one 
> (keeping the key and filename).
> Does OpenLDAP cache the certificate, or does it read it anew every time it's 
> needed (i.e.: do I have to restart the server?)? I'm using cn=config, just in 
> case.

The behavior depends on the particular TLS library being used. Pretty sure that 
OpenSSL
caches the file. You don't need to restart the server, just ldapmodify the 
setting in cn=config.
You can replace it with the same name as before, if you just want it to reload 
the same file.
> 
> Kind regards,
> Ulrich Windl
> 
>> -----Original Message-----
>> From: [email protected] <[email protected]>
>> Sent: Wednesday, May 13, 2026 7:32 PM
>> To: [email protected]
>> Subject: [EXT] issue with new cert (now using CN = InCommon RSA OV SSL CA
>> 3)
>>
>  
>> At the moment, I still update LDAP certificates by hand.  All previous certs
>> used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May
>> 4th, moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL CA
>> 3".  I had to generate a new cert after that date... so I added in the new CA
>> certs into my CACert file on both ends.  But replication is failing with the 
>> new
>> cert, works fine with the old cert:
>>
>>   May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect:
>> URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1)
>>   May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1
>> retrying
>>
>> Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and that
>> didn't change anything.  If I move back to the old cert (expires tomorrow)
>> replication works again so probably not a password issue.
>>
>> Any suggestions for debugging this further?
>>
>> thanks,
>> ds


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to