///////////
As you suggested, I looked into the /var/log/dirsrv/slapd-E2WAN/errors file, I
decided to purposely restart the whole server and at the very bottom, I found
the following:
[05/Apr/2016:15:43:01 -0400] - Information: Non-Secure Port Disabled
[05/Apr/2016:15:43:01 -0400] - SSL alert: CERT_VerifyCertificateNow: verify
certificate failed for cert wsf-LabLDAP.crt of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's
Certificate has expired.)
[05/Apr/2016:15:43:01 -0400] - 389-Directory/1.2.11.15 B2014.314.1342 starting
up
[05/Apr/2016:15:43:02 -0400] - slapd started. Listening on All Interfaces port
636 for LDAPS requests
What draws my attention is the second line of output, SSL alert:
CERT_VerifyCertificateNow etc... etc... etc... I would like to update the
certificate, because I did generate a new CA-signed certificate with the same
name wsf-LabLDAP.crt; and I did copy it into the same folder that the original
'expired' certificate was stored in.
Do you have the CA certificate in your /etc/dirsrv/slapd-<instance>/ nssdb? You
should be able to see it with certutil, and the trust flags CT. Try:
certutil -L -d /etc/dirsrv/slapd-<instance>/
Do you have a ca referenced in /etc/openldap/ldap.conf as well? That ca location
will need the CA certificate too.
What distro and version are you running (IE RHEL7)
I think this is an SSL issue at this point, not a password one. The password
parts all looked fine to me.
[05/Apr/2016:15:46:52 -0400] conn=8 fd=64 slot=64 SSL connection from
192.168.2.243 to 192.168.2.243
[05/Apr/2016:15:46:52 -0400] conn=8 op=-1 fd=64 closed - SSL peer cannot verify
your certificate.
I hope I provided proper and full details for your questions. I don't mind
sharing clear text passwords, the real system is not reachable from the
internet, and I am having this problem also in my virtual lab (where the data
from above is copy/pasted).
I don't think we'll need these.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane