Problem: when accessing the ldap from extern the certificate appears to be invalid

stunnel
ssl
certificates
letsencrypt
ucs-4
problem

#1

Problem

When you access your LDAP or Samba/AD from extern you receive an error because the certificate has expired. But when checking your certificate it appears to be valid.

Environment

This only seems to happen when you’re using stunnel to access a service behind your firewall. When using Let’s Encrypt this is even more likely to happen.
The reason behind is, that stunnel is caching SSL information along with the certificate without realizing itself the cert has been expired.

You might check this via

openssl s_client --connect ucs-master.domain.tld:636

Solution

Simply restart stunnel and things start working again.

systemctl restart stunnel

General

When you renewing your certs the next time keep in mind to also restart all related services.

Let’s Encrypt

When using Let’s Encrypt you might use its Script Hooks to archive this automatically. Create the following file

/etc/univention/letsencrypt/post-refresh.d/stunnel

#!/bin/bash
systemctl restart stunnel.service


closed #2