Gavin Lawrie

Q: Server 3 / SSL Certificate / Open Directory - Problem!

We've updated from Server 2 to Server 3 / OS X 10.9.

 

We have an SSL certificate for server from Comodo.

 

Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).

 

Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.

 

I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.

 

Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.

 

Anyone got any clues as to whether to fix or not, and if to fix, how?

 

Thanks in advance.

Mac mini (Late 2012), OS X Server

Posted on Nov 6, 2013 5:22 AM

Close

Q: Server 3 / SSL Certificate / Open Directory - Problem!

  • All replies
  • Helpful answers

first Previous Page 6 of 8 last Next
  • by Gavin Lawrie,

    Gavin Lawrie Gavin Lawrie Mar 19, 2014 4:04 AM in response to Peter-Erik
    Level 2 (413 points)
    Mac App Store
    Mar 19, 2014 4:04 AM in response to Peter-Erik

    Updating to Server 3.1 has made no difference on our system. 

     

    Behaviour exactly as previously - setting our Comodo DCV SAN SSL certificate to be the one used by all services in the Server App results after a few second delay in the Server app reporting a custom configuration in use. Checking the custom configuration reveals that all services except the OD are using the Comodo certificate. Manually setting the OD to use Comodo certificate results in the setting reverting to no certificate within a few seconds.

     

    The same certificate / hardware / configuration worked 100% OK under Server 2.x.  All that changed was move to Server 3.

     

    HTH

  • by brucefromamherst,

    brucefromamherst brucefromamherst Mar 19, 2014 4:30 AM in response to Peter-Erik
    Level 1 (0 points)
    Mar 19, 2014 4:30 AM in response to Peter-Erik

    I updated to Server 3.1 yesterday, and the problem with Open Directory not "accepting" the cert remains, at least for me. All other services have no problem with my cert.

  • by Peter-Erik,

    Peter-Erik Peter-Erik Mar 19, 2014 4:45 AM in response to Gavin Lawrie
    Level 1 (10 points)
    Mar 19, 2014 4:45 AM in response to Gavin Lawrie

    Bummer that Apple still isn't fixing this bug i will added this information in the bug report.

  • by Demetrios,

    Demetrios Demetrios Mar 20, 2014 11:51 AM in response to Peter-Erik
    Level 2 (206 points)
    Mar 20, 2014 11:51 AM in response to Peter-Erik

    Our Mavericks server is 'idle' because of this issue… and certificate authorities, who live this sh*t, have no work-around…

     

    #disappointing

  • by hvar,

    hvar hvar Mar 21, 2014 2:57 AM in response to Demetrios
    Level 1 (0 points)
    Mar 21, 2014 2:57 AM in response to Demetrios

    This is how i solved worked around it. Goal: move our LDAP servers from 10.6 to 10.9. I have spent countless hours trying to get that working.

     

    I was so privelidged that to also move from a ldap.local domain to a new public domain. So I could afford to have a untouched, working LDAP along the way.

     

    First try:

    I exported users and groups (as text) from 10.6 and import in 10.9. Clean install of 10.9. Wildcard ceritificates from GoDaddy. Set up ONLY Open Directory. Checked that I had a proper two-way resolving DNS and set up two replicas (on virtual machines - clean install). Everything would work - UNTIL RESTART. Every single time. I read all the forums, tried a ton of solutions. Twice. Cried myself to sleep. Started all over with format and clean install. Same thing happened. Many suggested that I should avoid importing old LDAP info.

     

    Second try:

    Sooo... I started all over, format, reinstall. This time i ONLY imported the Groups - not the Users from 10.6. (The text files did look so innocent!). I typed every user from scratch, painfully paying attention to the user IDs to get a everything as close to the old LDAP. Same thing happened; everything looked good... until restart. Boom!

     

    Final try - this worked:

    Imported NOTHING AT ALL from 10.6 servers. Format, clean install, SSL certificates, reverse DNS etc. Manually typed every single user and every single group, getting every single ID right (hopefully). It now seem to work correctly and I can reboot any server or replica without returning with a damaged LDAP. OS 10.9.2 and sever 3.03. The only change between second and third try was not importing the groups from 10.6 - and that textfile is tiny!

     

    I think there is something in the import-routine that screws this up. (this may also be triggered in "upgrade to newer version"?)

     

    Note; I did try to upgrade a clean OS 10.9 on a virtual machine to server 3.1. CPU load goes to 100% Logs are constantly overloaded with errors. I ran away. I am not going to touch anything in a while - not until I am done with therapy after the Open Directory nightmare this has been.

  • by Peter-Erik,

    Peter-Erik Peter-Erik Mar 21, 2014 4:36 AM in response to hvar
    Level 1 (10 points)
    Mar 21, 2014 4:36 AM in response to hvar

    hvar the only thing you can do is to fill in a bug report at Apple and hope that there something is triggerd there to not only look at the problem but solve it.

    I fill in my bug but after some questions (and response from me with uploaded genereted data) the last 6 weeks it keeps silence. Ask them for an update about this problem but it keeps silence....

     

    link http://bugreport.apple.com

  • by stel2k,

    stel2k stel2k Mar 21, 2014 7:53 AM in response to Gavin Lawrie
    Level 1 (0 points)
    Mar 21, 2014 7:53 AM in response to Gavin Lawrie

    The same thing for me, but with a web server.

    If I set 3rd party certificate via website settings panel there is some diagnostic in Console log:

    Error: The server '127.0.0.1' reported an error while processing a command of type: 'writeSettings' in plug-in: 'servermgr_web'. Error: Error Domain=XSActionErrorDomain Code=0 "Error Domain=XSServerFoundationErrorDomain Code=11 "Attempt to modify read-only settings on default virtual host" ...

  • by Magnus.N,

    Magnus.N Magnus.N Mar 27, 2014 9:17 AM in response to Gavin Lawrie
    Level 1 (0 points)
    Mar 27, 2014 9:17 AM in response to Gavin Lawrie

    I have the same issue using ssl certs for Open Direcory. We use Terena and according to the issuer it is based on comodo.

    When I try to change to the ssl certificate it says in the Open Directory Configuration log.

     

    slapconfig -setldapconfig

    Provided SSL Ídentity "Myserver.se" is already configured for OD.

     

    However it will not show in certificates management. It just says none.

    I have checked Machine_Identity and Opendirectory_ssl_identity, identity preference, and it uses the correct ssl certificate.

     

    I cannot even change to the old self signed certificate.

     

    It is a clean maverics server 3.1.1 install.

     

    All other services are working with this ssl certificate.

  • by stel2k,

    stel2k stel2k Mar 27, 2014 11:09 AM in response to Gavin Lawrie
    Level 1 (0 points)
    Mar 27, 2014 11:09 AM in response to Gavin Lawrie

    I've solved the problem with ssl sertificate for web server by requesting a new sertificate with sertificate request from my machine. Just followed the steps in Server.app manual.

  • by Demetrios,

    Demetrios Demetrios Mar 27, 2014 11:16 AM in response to stel2k
    Level 2 (206 points)
    Mar 27, 2014 11:16 AM in response to stel2k

    @stel2k - the problem is not with 3rd party certificates and the Web server but with 3rd party certs and Open Directory, at least for me anyway…

  • by stel2k,

    stel2k stel2k Mar 27, 2014 11:19 AM in response to Demetrios
    Level 1 (0 points)
    Mar 27, 2014 11:19 AM in response to Demetrios

    Yes, but I had the same symptoms with web server and may be my answer could help with OD

  • by bekman553,

    bekman553 bekman553 May 22, 2014 12:52 AM in response to Demetrios
    Level 1 (5 points)
    May 22, 2014 12:52 AM in response to Demetrios

    I have same problem with OD and Self-Signed certificate. OD is signed by Self-Signed Intermediate cert and I can't change it.This bug is a mess!

  • by Peter-Erik,

    Peter-Erik Peter-Erik May 22, 2014 1:12 AM in response to bekman553
    Level 1 (10 points)
    May 22, 2014 1:12 AM in response to bekman553

    @bekman553

     

    Can you give us some more information? OS is 10.9.3? server version is 3.1.2?

  • by bekman553,

    bekman553 bekman553 May 22, 2014 1:20 AM in response to Peter-Erik
    Level 1 (5 points)
    May 22, 2014 1:20 AM in response to Peter-Erik

    Well, my system is 10.9.2, Server 3.1.1. I Have Self-signed root certificate wich should be used to sign all services. But I can't set OD to this one. It automatically jumps to Intermediate CA. And in log I can see this: Provided SSL Identity //mydomain// is already configured for OD.

  • by Peter-Erik,

    Peter-Erik Peter-Erik May 22, 2014 2:17 AM in response to bekman553
    Level 1 (10 points)
    May 22, 2014 2:17 AM in response to bekman553

    please report this at http://bugreport.apple.com

first Previous Page 6 of 8 last Next