Q: Server 3 / SSL Certificate / Open Directory - Problem!

I updated to Server 3.1 yesterday, and the problem with Open Directory not "accepting" the cert remains, at least for me. All other services have no problem with my cert.

Bummer that Apple still isn't fixing this bug i will added this information in the bug report.

Our Mavericks server is 'idle' because of this issue… and certificate authorities, who live this sh*t, have no work-around…

#disappointing

This is how i solved worked around it. Goal: move our LDAP servers from 10.6 to 10.9. I have spent countless hours trying to get that working.

I was so privelidged that to also move from a ldap.local domain to a new public domain. So I could afford to have a untouched, working LDAP along the way.

First try:

I exported users and groups (as text) from 10.6 and import in 10.9. Clean install of 10.9. Wildcard ceritificates from GoDaddy. Set up ONLY Open Directory. Checked that I had a proper two-way resolving DNS and set up two replicas (on virtual machines - clean install). Everything would work - UNTIL RESTART. Every single time. I read all the forums, tried a ton of solutions. Twice. Cried myself to sleep. Started all over with format and clean install. Same thing happened. Many suggested that I should avoid importing old LDAP info.

Second try:

Sooo... I started all over, format, reinstall. This time i ONLY imported the Groups - not the Users from 10.6. (The text files did look so innocent!). I typed every user from scratch, painfully paying attention to the user IDs to get a everything as close to the old LDAP. Same thing happened; everything looked good... until restart. Boom!

Final try - this worked:

Imported NOTHING AT ALL from 10.6 servers. Format, clean install, SSL certificates, reverse DNS etc. Manually typed every single user and every single group, getting every single ID right (hopefully). It now seem to work correctly and I can reboot any server or replica without returning with a damaged LDAP. OS 10.9.2 and sever 3.03. The only change between second and third try was not importing the groups from 10.6 - and that textfile is tiny!

I think there is something in the import-routine that screws this up. (this may also be triggered in "upgrade to newer version"?)

Note; I did try to upgrade a clean OS 10.9 on a virtual machine to server 3.1. CPU load goes to 100% Logs are constantly overloaded with errors. I ran away. I am not going to touch anything in a while - not until I am done with therapy after the Open Directory nightmare this has been.

hvar the only thing you can do is to fill in a bug report at Apple and hope that there something is triggerd there to not only look at the problem but solve it.

I fill in my bug but after some questions (and response from me with uploaded genereted data) the last 6 weeks it keeps silence. Ask them for an update about this problem but it keeps silence....

link http://bugreport.apple.com

The same thing for me, but with a web server.

If I set 3rd party certificate via website settings panel there is some diagnostic in Console log:

Error: The server '127.0.0.1' reported an error while processing a command of type: 'writeSettings' in plug-in: 'servermgr_web'. Error: Error Domain=XSActionErrorDomain Code=0 "Error Domain=XSServerFoundationErrorDomain Code=11 "Attempt to modify read-only settings on default virtual host" ...

I have the same issue using ssl certs for Open Direcory. We use Terena and according to the issuer it is based on comodo.

When I try to change to the ssl certificate it says in the Open Directory Configuration log.

slapconfig -setldapconfig

Provided SSL Ídentity "Myserver.se" is already configured for OD.

However it will not show in certificates management. It just says none.

I have checked Machine_Identity and Opendirectory_ssl_identity, identity preference, and it uses the correct ssl certificate.

I cannot even change to the old self signed certificate.

It is a clean maverics server 3.1.1 install.

All other services are working with this ssl certificate.

I've solved the problem with ssl sertificate for web server by requesting a new sertificate with sertificate request from my machine. Just followed the steps in Server.app manual.

@stel2k - the problem is not with 3rd party certificates and the Web server but with 3rd party certs and Open Directory, at least for me anyway…

Yes, but I had the same symptoms with web server and may be my answer could help with OD

I have same problem with OD and Self-Signed certificate. OD is signed by Self-Signed Intermediate cert and I can't change it.This bug is a mess!

@bekman553

Can you give us some more information? OS is 10.9.3? server version is 3.1.2?

Well, my system is 10.9.2, Server 3.1.1. I Have Self-signed root certificate wich should be used to sign all services. But I can't set OD to this one. It automatically jumps to Intermediate CA. And in log I can see this: Provided SSL Identity //mydomain// is already configured for OD.

please report this at http://bugreport.apple.com