Your message dated Tue, 17 Mar 2020 14:45:19 -0700
with message-id <[email protected]>
and subject line fixed in openldap 2.4.49+dfsg-1
has caused the Debian Bug report #416272,
regarding upgrade fails if using private SSL cert and pem
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
416272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416272
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: slapd
Version: 2.3.30-5
Severity: normal

Upgraded my OpenLDAP server this morning and slapd failed to start.  The
initial failure was in the middle of a general dist-upgrade from sarge
to etch.  As such the notices about the failure scrolled off the screen.

So, to find the reason for the failure I ran "apt-get -f install".  This
of course failed due to the backup already existing, as others have
noted.  Moving the latest backup out of the way allowed the previous
upgrade failure message and notes to be displayed.

Running "slapd -u openldap -g openldap -d 16383" revealed the cause of
the failure.

While the database ownership had been updated to the new user:group, the
configuration files (/etc/ldap) had not.  Specifically, the SSL
certificate and key used for SSL connections could not be read.

Changing the ownership on the key and certificate to openldap:openldap
and once again moving the backup out of the way corrected the problem.

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.18-5-k7

Debian Release: 4.0



--- End Message ---
--- Begin Message ---
Version: 2.4.49+dfsg-1

This has been fixed in bullseye. The upload closed #837341 and I forgot to merge this one first.

openldap (2.4.49+dfsg-1) unstable; urgency=medium
[...]
  * Backport proposed upstream patch to emit detailed messages about errors in
    the TLS configuration. (ITS#9086) (Closes: #837341)

Note that you still have to request debug output (e.g. slapd -d1) to receive messages about TLS configuration issues; they don't go to syslog.

Example output:

TLS: opening `/etc/ssl/private/ssl-cert-snakeoil.key' failed: Permission denied
TLS: could not use private key file `/etc/ssl/private/ssl-cert-snakeoil.key`.
5e71447f main: TLS init def ctx failed: -1

--- End Message ---

Reply via email to