Help me OpenDirectory Kenobi, OpenDirectory does not like renewed SSL certificate
MacOS High Sierra Server 5.2. Using Let's Encrypt/Certbot to renew certificates every 3 months for Web/CalDAV/Mail and OpenDirectory for network users.
Recently when a certificate was renewed, LDAP silently failed with no error messages other than Mail not being able to authenticate users. When I opened up Server[Admin].app, it showed both OpenDirectory and Mail as running. But when I clicked on Users or Groups, there were no users but the local admin listed. So I opened up the Directory Assistant tool and noticed that I had no access to LDAPv3/127.0.0.1.
So I search through the Server.app logs, but there's nothing for OpenDirectory. I open up Console.app and go through more logs... I don't remember which one, but something about "certificate" and "decrypt" was mentioned. Fortunately, I still had 3 weeks left on the old certificate before it expired, so I revert back to using the old one. I get access to LDAPv3/127.0.0.1 in the Directory Assistant tool, Users/Groups load in Server.app, and Mail was able to authenticate users again.
None of the renewal parameters had changed for the certificates so the key or the encryption method shouldn't have changed. But nonetheless, I issue a "force-renew" to certbot and create another certificate with a later date. When I make OD use the new certificate, the LDAP users load fine but the groups don't and Mail stops being able to authenticate users again. So, something in the new cert is preventing OD from completely loading the database but not throwing any noticeable errors other than the one mention in an obscure log that I may have imagined in my frenzy to fix the problem.
So, now I have about two weeks to figure this out before the old cert expires. Any pointers? Should I explicitly specify a certain encryption method for old servers? Do the keys expire?
BTW, I also noticed that Server.app stopped showing that the services running on my machine is available at my FQDN. I dunno if it's related, but it happened sometime this year.