Last week we replaced our Certificate Authority as it was due to expire yesterday (Monday). It was currently running on a fully patches Netware 6.5 server and we took the decision to move it to a SLES 11 SP 2 OES 11 server and re-create all the certificates - following Option 2 for TID 3618399.

We re-ran PKIDIAG on the Novell server and tckeygen, and restarted and everything seemed fine - Groupwise (8) webaccess and the PO using ldap auth were working. But this morning we've discovered that ldap is failing to do secure binds for iprint secure printers and iFolder. We see this error message in the log screen:

>11:45:44 11:45:44 ldap *MASTER[xxxx.our-domain.com] connection restored
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][0] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][1] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][2] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][3] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][4] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][5] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][6] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][7] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 ldap iFolder_ldap01[xxxx.our-domain.com] connection restored
>11:46:41 11:46:41 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind: Can't contact LDAP server(81)
>11:46:41 11:46:41 ldap iFolder_ldap01[xxxx.our-domain.com] down
>11:46:41 11:46:41 ldap *MASTER[xxxx.our-domain.com] down

and in the apache error log we see:

[Tue Aug 27 11:30:08 2013] [error] [client 10.0.0.43] no acceptable variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var
[Tue Aug 27 11:30:08 2013] [warn] [client 10.0.0.43] [10] auth_ldapdn authenticate: user bob authentication failed; URI /ipps/Ricoh [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Nothing else was charged other than creating a new CA (on a new server), removing the old one from eDirectory and generating the new certificates. If we use a web browser to the server to check the certificate we see that the CA cannot be validated as it is internal and not a publicly trusted one, but IIRC the old CA did the same.

PKIDiag and SDIDiag report no issues. The only thing I can imagine that could be causing the issue is the fact the CA is no longer on the same server hosting iFolder and iPrint. Both server host eDirectory and are part of the same replica ring, they can communicate and also time is synchronised.

Any ideas?

Mark.