I encountered an issue recently where I imported a wildcard certificate into an Open Directory server which was fine however once I tried to select it Open Directory immediately stopped working.
2015-03-14 10:42:07.113 AM com.apple.launchd: (org.openldap.slapd) Exited with code: 1
2015-03-14 10:42:07.113 AM com.apple.launchd: (org.openldap.slapd) Throttling respawn: Will start in 10 seconds
2015-03-14 10:42:17.150 AM com.apple.launchd: (org.openldap.slapd) Exited with code: 1
2015-03-14 10:42:17.150 AM com.apple.launchd: (org.openldap.slapd) Throttling respawn: Will start in 10 seconds
To diagnose I turned ldap off by way of launchd
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
And then told openldap to launch in debug mode and don’t fork.
sudo /usr/libexec/slapd -d 99 -F /etc/openldap/slapd.d/
To which I received this reply:
TLS: attempting to read `/etc/certificates/server.inside.tld.ca.6C66FD3E997A9FD902DEA9050EE3F9A58EF63742.key.pem'.
TLS: could not use key file `/etc/certificates/server.inside.tld.ca.6C66FD3E997A9FD902DEA9050EE3F9A58EF63742.key.pem'.
TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch /SourceCache/OpenSSL098/OpenSSL098-47.2/src/crypto/x509/x509_cmp.c:406
55047382 main: TLS init def ctx failed: -1
That’s strange I thought, so I cracked open /etc/openldap/slapd.d/cn=config.ldif in vim and found that at the bottom of the file the cert and the key did not change over properly.
olcTLSCertificatePassphrase: "Mac OS X Server certificate management.6C66FD3E9
Notice how the certkeyfile does not match the cert or chain file? It’s like Server.app b0rk3d on parse the wildcard symbol while modifying this file. The only way I’ve figured out how to get OD back on it’s feet after this disaster is to remove these lines from the cn=config.ldif and rebooting the OD server. Even if I tried hand coding the cert in Open Directory will stop crashing however the secure LDAP service does not come up.
I’ve since switched to an internal CA and making certs for each FQDN which has been a way better experience.