Q: Server 3 / SSL Certificate / Open Directory - Problem!

I'm having the exact same issue with a fresh install of Mavericks 10.9.1, Server 3.0.2, and a brand new UCC Cert from GoDaddy.

Update: I was able to get this working by doing the following:

1. Turn off ALL services, except DNS and OpenDirectory.
2. Delete my OpenDirectory master, this will turn off OpenDirectory and remove the self-signed cert.
3. You should now only have the trusted cert installed. Make sure that the CA is trusted as well.
4. Create a new OpenDirectory master. It will automatically select the trusted cert and not create a self-signed cert.
5. Re-enable all desired services.
6. Double-check in the Certificates tab, that only your trusted cert is being used.

I just resolved this issue on Mavericks (after A LOT of work).  GoDaddy's website only provides instructions from OS X 10.6, and every variation of their instructions were not working.

The solution ended up being very simple.

Caveats:

1) This was my first installation of OS X Server, so I had no previous cert to go off of.

2) I have a wildcard cert that was signed by GoDaddy.  The certificate request and public and private keys were previously generated on another server.

How to do it.

1) On Mavericks server, click the "Certificates" section on the left panel.  The certificates panel will appear

2) Click the "+" button at the bottom.  A menu will appear

3) Select "Import a Certificate Identity...".  A dialog will appear asking for the certificate and the private key

4) Log onto server that was originally used to generate the public and private key.  (In my case this was Linux server running Apache)

5) Download the certificate generated by GoDaddy to your Mac (usually ends with a *.crt extension)

6) Download the private key to your Mac (usually ends with a *.key extension)

7) Drag the private key and the certificate onto the "certificate dialog"

8) Click "Import"

Hope that helps someone else.

After upgrade to OS X 10.9.2 and the server to version 3.0.3 the problem is still there :-(

Has anyone had any trouble securing Open Directory with SSL? And with the latest bug, its not like SSL makes a difference anymore, anyways.

Working fine so far here. Server has been up and running for 15 hours now, using Kerberos and network sign-on, no issues.

I've only had problems thus far when I try to use 3rd party certificates.

Just to confirm my settings: I am using GoDaddy UCC.

@Gavin  15458777 is my bug report number.  It's open - if I have more information I will post it here.

+1 for this bug being a deal breaker on our server. hope Apple fixes this soon!

Miggl.

I have been struggeling with this on several servers using a wildcard certificate from GoDaddy. The certificate works just fine on 10.6.8, and on other platforms. On 10.8 and 10.9 I have major problems though.

If I use a brand new installation everything works like a charm, I can add replicas, and it can works as long as I do not restart the server. Upon restart however I get all kinds of errors, and Open Directory will not work. I get a wide range of errors, including:

--> slapd[74179]: TLS: could not convert keychain item 'APPLE:*.xxxxxxx.com' to EVP_PKEY

and failure to start, like:

-->  (org.openldap.slapd) Throttling respawn: Will start in 10 seconds

Have you rebooted your box after getting it to work?

I am having this exact same problem, and just noticed it. The certs we use here (Office of Information Technology at University of Massachusetts Amherst) are most often issued by InCommon.org so there shouldn't be a problem with this.

I am now wondering if this is causing a related problem with Profile Manager.

This is happening on Server v3.0.3 after an upgrade from 10.8 / Server 2.

Did someone already check it with the latest Server update v3.1?