Problem: when accessing the ldap from extern the certificate appears to be invalid


When you access your LDAP or Samba/AD from extern you receive an error because the certificate has expired. But when checking your certificate it appears to be valid.


This only seems to happen when you’re using stunnel to access a service behind your firewall. When using Let’s Encrypt this is even more likely to happen.
The reason behind is, that stunnel is caching SSL information along with the certificate without realizing itself the cert has been expired.

You might check this via

openssl s_client --connect ucs-master.domain.tld:636


Simply restart stunnel and things start working again.

systemctl restart stunnel


When you renewing your certs the next time keep in mind to also restart all related services.

Let’s Encrypt

When using Let’s Encrypt you might use its Script Hooks to archive this automatically. Create the following file


systemctl restart stunnel.service