Yes, unfortunately, using openssl does not re-read the certificate files while slapd is running. I wonder: If an ldapmodify can trigger a refresh, can't slapd check (like once per day) whether the mtime of the certificate file had changed and then trigger re-reading it. Or at least start doing so once the cached certificate had expired 😉
Kind regards, Ulrich Windl > -----Original Message----- > From: Howard Chu <[email protected]> > Sent: Wednesday, May 20, 2026 7:46 PM > To: Windl, Ulrich <[email protected]>; [email protected]; openldap- > [email protected] > Subject: [EXT] Re: [EXT] issue with new cert (now using CN = InCommon RSA > OV SSL CA 3) > > > Windl, Ulrich wrote: > > Hi! > > > > I have a related question: I replaced our certificate with a refreshed one > (keeping the key and filename). > > Does OpenLDAP cache the certificate, or does it read it anew every time it's > needed (i.e.: do I have to restart the server?)? I'm using cn=config, just in > case. > > The behavior depends on the particular TLS library being used. Pretty sure > that OpenSSL > caches the file. You don't need to restart the server, just ldapmodify the > setting in cn=config. > You can replace it with the same name as before, if you just want it to reload > the same file. > > > > Kind regards, > > Ulrich Windl > > > >> -----Original Message----- > >> From: [email protected] <[email protected]> > >> Sent: Wednesday, May 13, 2026 7:32 PM > >> To: [email protected] > >> Subject: [EXT] issue with new cert (now using CN = InCommon RSA OV SSL > CA > >> 3) > >> > > > >> At the moment, I still update LDAP certificates by hand. All previous > >> certs > >> used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May > >> 4th, moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL > CA > >> 3". I had to generate a new cert after that date... so I added in the new > >> CA > >> certs into my CACert file on both ends. But replication is failing with > >> the > new > >> cert, works fine with the old cert: > >> > >> May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect: > >> URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1) > >> May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1 > >> retrying > >> > >> Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and > that > >> didn't change anything. If I move back to the old cert (expires tomorrow) > >> replication works again so probably not a password issue. > >> > >> Any suggestions for debugging this further? > >> > >> thanks, > >> ds > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
