Yes, unfortunately, using openssl does not re-read the certificate files while 
slapd is running.
I wonder: If an ldapmodify can trigger a refresh, can't slapd check (like once 
per day) whether the mtime of the certificate file had changed and then trigger 
re-reading it. Or at least start doing so once the cached certificate had 
expired 😉

Kind regards,
Ulrich Windl

> -----Original Message-----
> From: Howard Chu <[email protected]>
> Sent: Wednesday, May 20, 2026 7:46 PM
> To: Windl, Ulrich <[email protected]>; [email protected]; openldap-
> [email protected]
> Subject: [EXT] Re: [EXT] issue with new cert (now using CN = InCommon RSA
> OV SSL CA 3)
> 
> 
> Windl, Ulrich wrote:
> > Hi!
> >
> > I have a related question: I replaced our certificate with a refreshed one
> (keeping the key and filename).
> > Does OpenLDAP cache the certificate, or does it read it anew every time it's
> needed (i.e.: do I have to restart the server?)? I'm using cn=config, just in
> case.
> 
> The behavior depends on the particular TLS library being used. Pretty sure
> that OpenSSL
> caches the file. You don't need to restart the server, just ldapmodify the
> setting in cn=config.
> You can replace it with the same name as before, if you just want it to reload
> the same file.
> >
> > Kind regards,
> > Ulrich Windl
> >
> >> -----Original Message-----
> >> From: [email protected] <[email protected]>
> >> Sent: Wednesday, May 13, 2026 7:32 PM
> >> To: [email protected]
> >> Subject: [EXT] issue with new cert (now using CN = InCommon RSA OV SSL
> CA
> >> 3)
> >>
> >
> >> At the moment, I still update LDAP certificates by hand.  All previous 
> >> certs
> >> used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May
> >> 4th, moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL
> CA
> >> 3".  I had to generate a new cert after that date... so I added in the new 
> >> CA
> >> certs into my CACert file on both ends.  But replication is failing with 
> >> the
> new
> >> cert, works fine with the old cert:
> >>
> >>   May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect:
> >> URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1)
> >>   May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1
> >> retrying
> >>
> >> Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and
> that
> >> didn't change anything.  If I move back to the old cert (expires tomorrow)
> >> replication works again so probably not a password issue.
> >>
> >> Any suggestions for debugging this further?
> >>
> >> thanks,
> >> ds
> 
> 
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to