Open Directory renewed SSL certificate will not set

How did you generate the certificate?

Don't renew a self-signed certificate. Create a new one.

Certificates issued by a CA (except APNS certificates) don't renew automatically. You should have been prompted to generate a CSR, and then you would have had to submit that to the CA. Did all that happen?

Did you update the trust profile on the clients, including the server itself, if applicable?

You need to restart your server.

What are the effects of OD not using the renewed CA-signed certificate? From what I can see it is no longer used by OD (see below)

I followed exactly the same (correct) steps as @governorguy and, like him, all services except OD took the renewed certificate.

Regrettably I deleted the expiring certificate before discovering that OD had not taken the settings I made manually to use the renewed certificate.

However, I'm baffled as to what is the effect ofnot having OD associated with the renewed Certificate, as:

• Clients authenticate to Kerberos OK (IMAP and SMTP logins)
• OS X network clients whose "Network Account Server" points to the OD Server can log in as Local Network Users OK.

From what I can see, OD seems to use a different Certificate that any selectable in the Server's Certificates tab. There is a certificate that is on both OS X Server's System Keychain and also the OS X Network client's keychain:

• Common Name: <myserver name> Open Directory Certification Authority
• Organizational Unit: MACOSX OpenDirectory Root CA

Can anyone throw any more light on this?

Explained this unexpected behaviour in bug report 21611424

I recently encountered this same issue on OS X 10.2 with Server 4.0. Our renewed GoDaddy SSL cert would not persist for Open Directory only; all other services used the updated cert without issue.

I noticed that in the /Library/Logs/slapconfig.log file, I would see the following message when attempting to use the updated cert for OD via the Server interface:

Could not locate certificate: myserver.mydomain.com 0

However, the updated cert was most definitely in the Keychain with the correct trust settings, etc (everything matched the expiring cert).

I tried the following to no avail, based on advice from this and other threads:

• deleting the new cert, redoing the CSR and re-adding the updated cert
• restarting the server, then trying to apply the cert to OD
• applying the cert with OD turned off
• explicitly choosing "Always Trust" on the updated GoDaddy cert in Keychain
• manually importing the GoDaddy cert files directly to Keychain

What finally did the trick for me came from this thread:

OSX Yosemite Server 4.0 - webapps & SSL issues

I ended up using a RapidSSL cert, which persisted for all services when selected from the Server interface, with no issue. I also saw the slapconfig log file update with the following entries:

2015-08-21 15:26:56 +0000 slapconfig -setldapconfig

2015-08-21 15:27:00 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

2015-08-21 15:27:00 +0000 Stopping LDAP server (slapd)

2015-08-21 15:27:04 +0000 Starting LDAP server (slapd)

2015-08-21 15:27:04 +0000 slapd started

The RapidSSL instructions for importing their cert state that both the certificate and intermediate CA cert that they provide need to be explicitly trusted in Keychain, which I did do (followed the instructions here, with some adjustments for 10.10 server: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&actp=CROSSLINK&id=SO22535)

I'm not sure why explicitly trusting the GoDaddy cert didn't work, but I'm just happy the RapidSSL cert works. I've verified that all relevant services are functioning fine with the new cert.

I have had this problem every year for the past several years using a wildcard certificate from GoDaddy. It always takes me a day set aside to fix it.

The issue I have had on my server is that when the new certificate is installed, and you try to switch Open Directory from the old certificate to the new one, the configuration never changes over. OD continues to look for the old cert even if you delete it from /etc/certificates.

My server has the correct name, DNS is set up, and all that stuff...So here's what I did this time that worked, after the new certificate was installed:

1) Open Server.app

2) Go to Server > Certificates and using the Secure Services using: dropdown, select Custom...

3) Set the Open Directory service to use "None" as the certificate and click OK

4) Go to Advanced > Open Directory

5) Turn off Open Directory (wait for it to shut down)

6) Turn Open Directory back on

7) Go to Logs and check the Open Directory Configuration log to make sure there were no errors on startup

8) Go back to Server > Certificates and using the Secure Services using: dropdown, select Custom...

9) Set the Open Directory service to use your new SSL certificate - in this case, it's my GoDaddy certificate and click OK

After doing this and waiting a few moments...

10) Go to Server > Certificates and using the Secure Services using: dropdown, select Custom...

...and if successful you will see your new certificate selected. I would also check the OD Configuration log again to make sure.