Problem: AD-Connection is not working anymore

Problem:

AD-Connection is not working anymore

Investigation:

Check
/var/log/univention/connector-ad-status.log
If you see

— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 212, in _decorated
return func(self, *args, **kwargs)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 382, in __starttls
self.lo.start_tls_s()
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 1220, in start_tls_s
res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 1197, in _apply_method_s
return func(self,*args,**kwargs)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 864, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib/python3/dist-packages/ldap/compat.py”, line 44, in reraise
raise exc_value
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {‘desc’: ‘Connect error’, ‘info’: ‘error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)’}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/connector/ad/main.py”, line 247, in main
connect(options)
File “/usr/lib/python3/dist-packages/univention/connector/ad/main.py”, line 119, in connect
ad.init_ldap_connections()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 541, in init_ldap_connections
super(ad, self).init_ldap_connections()
File “/usr/lib/python3/dist-packages/univention/connector/init.py”, line 497, in init_ldap_connections
self.open_ucs()
File “/usr/lib/python3/dist-packages/univention/connector/init.py”, line 524, in open_ucs
self.lo = univention.admin.uldap.access(host=host, port=port, base=self.configRegistry[‘ldap/base’], binddn=binddn, bindpw=bindpw, start_tls=2, follow_referral=True)
File “/usr/lib/python3/dist-packages/univention/admin/uldap.py”, line 471, in init
self.lo = univention.uldap.access(host, port, base, binddn, bindpw, start_tls, uri=uri, follow_referral=follow_referral)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 292, in init
self.__open(ca_certfile)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 368, in __open
self.__starttls()
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 220, in _decorated
return func(self, *args, **kwargs)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 382, in __starttls
self.lo.start_tls_s()
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 1220, in start_tls_s
res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 1197, in _apply_method_s
return func(self,*args,**kwargs)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 864, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib/python3/dist-packages/ldap/compat.py”, line 44, in reraise
raise exc_value
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {‘desc’: ‘Connect error’, ‘info’: ‘error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)’}

Check:
openssl x509 -in /var/cache/univention-ad-connector/CAcert-connector.pem -noout -text
and also the cert from ucr get connector/ad/ldap/certificate

Solution:

If the certificate in /var/cache/univention-ad-connector/CAcert-connector.pem is expired this should be the root CA. Renewing this certificate is described here:

If it is the other one from the AD server, Renew the certificate there and replace it in UCS

/etc/univention/connector/ad/<new_cert>
ucr set connector/ad/ldap/certificate='/etc/univention/connector/ad/<new cert>'
systemctl restart univention-ad-connector

See also:
Problem: AD-Connector doesn't start due to SSL problems

Mastodon