You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Help me OpenDirectory Kenobi, OpenDirectory does not like renewed SSL certificate

MacOS High Sierra Server 5.2. Using Let's Encrypt/Certbot to renew certificates every 3 months for Web/CalDAV/Mail and OpenDirectory for network users.


Recently when a certificate was renewed, LDAP silently failed with no error messages other than Mail not being able to authenticate users. When I opened up Server[Admin].app, it showed both OpenDirectory and Mail as running. But when I clicked on Users or Groups, there were no users but the local admin listed. So I opened up the Directory Assistant tool and noticed that I had no access to LDAPv3/127.0.0.1.


So I search through the Server.app logs, but there's nothing for OpenDirectory. I open up Console.app and go through more logs... I don't remember which one, but something about "certificate" and "decrypt" was mentioned. Fortunately, I still had 3 weeks left on the old certificate before it expired, so I revert back to using the old one. I get access to LDAPv3/127.0.0.1 in the Directory Assistant tool, Users/Groups load in Server.app, and Mail was able to authenticate users again.


None of the renewal parameters had changed for the certificates so the key or the encryption method shouldn't have changed. But nonetheless, I issue a "force-renew" to certbot and create another certificate with a later date. When I make OD use the new certificate, the LDAP users load fine but the groups don't and Mail stops being able to authenticate users again. So, something in the new cert is preventing OD from completely loading the database but not throwing any noticeable errors other than the one mention in an obscure log that I may have imagined in my frenzy to fix the problem.


So, now I have about two weeks to figure this out before the old cert expires. Any pointers? Should I explicitly specify a certain encryption method for old servers? Do the keys expire?


BTW, I also noticed that Server.app stopped showing that the services running on my machine is available at my FQDN. I dunno if it's related, but it happened sometime this year.

Posted on Nov 26, 2024 5:08 PM

Reply
1 reply
User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Dec 2, 2024 9:20 AM in response to Celia Wessen

EMERGENCY SSL DATE HACK


After much investigation, I did not find a solution to making LDAP load the user/groups with OpenDirectory using the new SSL certificates. So, I just turned back the local time on the server to a date before the old SSL certificate ran out (same day of week for my sanity) and restored the network user/groups while I migrate off of this particular server. I really didn't want to do this, but I had to buy time somehow. The email dates are going to be screwed up :sigh:

Reply

Help me OpenDirectory Kenobi, OpenDirectory does not like renewed SSL certificate

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up