I have been trying to figure this out for a while now and I need to get
it done before too long. We have certificates expiring soon. I know very
little about dealing with certs and the person that set this up has
moved on. We have two eDirs setup behind a VIP for load balancing. They
used to be just behind a DNS round robin. The certs for the servers and
the VIP will be expiring soon. I got the certs for the two eDir servers,
imported the one on one server to make sure everything goes ok. It
imported ok and I double checked to make sure it was valid and
everything. Once I changed the LDAP config to use the new cert then
authentication started to fail for that server so I switched it back. I
have been told I need to configure any LDAP consumers to use the new
certificate but I am not sure if that is the case. Is that
correct/typical? I talked to one of the admins of one of the services
that uses out LDAP and they talked to their co-workers and no one
remembers doing anything like that previously.

I keep getting this in the trace:

09:05:09 601B4700 LDAP: New TLS connection 0x7c0127b0 from xxx.xxx.xxx.xxx:28158, monitor = 0xe1e09700, index = 26
09:05:09 E1E09700 LDAP: Monitor 0xe1e09700 initiating TLS handshake on connection 0x7c0127b0
09:05:09 ADBBD700 LDAP: (xxx.xxx.xxx.xxx:28158)(0x0000:0x00) DoTLSHandshake on connection 0x7c0127b0
09:05:09 ADBBD700 LDAP: (xxx.xxx.xxx.xxx:28158)(0x0000:0x00) TLS accept failure 5 on connection 0x7c0127b0, setting err = -5875. Error stack:
09:05:09 ADBBD700 LDAP: (xxx.xxx.xxx.xxx:28158)(0x0000:0x00) TLS handshake failed on connection 0x7c0127b0, err = -5875
09:05:09 ADBBD700 LDAP: Server closing connection 0x7c0127b0, socket error = -5875
09:05:09 ADBBD700 LDAP: Connection 0x7c0127b0 closed

bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=55453