[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
** Changed in: openldap2.3 (Debian) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/227744 Title: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/227744/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix". ** Changed in: openldap2.3 (Ubuntu Hardy) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/227744 Title: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/227744/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
** Tags added: dapper2hardy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/227744 Title: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
> Adding the openldap to the ssl-cert group by default is not an option Please explain why. Is it a technical reason or a policy reason? Thanks. -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs . -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
It is not a good idea to add the user by default because not all openldap installations require it. If the user were added to the group by default, the openldap user could end up with access to highly sensitive data when it doesn't even need it for itself, possibly without the admin knowing about it. That said, the error message should be more clear IMHO, and possibly detected during upgrade. -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
> Adding the openldap to the ssl-cert group by default is not an option Please explain why. Is it a technical reason or a policy reason? Thanks. -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
Marking won't fix in the development release. This is an issue related to upgrades from dapper to hardy. Adding the openldap to the ssl-cert group by default is not an option. ** Changed in: openldap (Ubuntu) Status: Triaged => Won't Fix -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
I'm running into the same problem on a fresh Hardy server. However, I see that /etc/ssl/private is owned by root, and no ssl-cert group exists. This is Hardy 8.04.2. Any thoughts? -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group
** Summary changed: - dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 + dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
The error message should be improved. ** Changed in: openldap (Ubuntu) Importance: Undecided => Low Status: New => Triaged ** Changed in: openldap (Ubuntu Hardy) Status: New => Invalid -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
Marking invalid for openldap2.3 in intrepid. ** Changed in: openldap2.3 (Ubuntu) Status: Triaged => Invalid ** Also affects: openldap (Ubuntu) Importance: Undecided Status: New -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
The postinst script should check on upgrade from dapper if TLS is used and if so, add the openldap user to the ssl-cert group. Nominating for Hardy. ** Changed in: openldap2.3 (Ubuntu Hardy) Status: New => Triaged -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
A solution I found is simply to add openldap user to the ssl-cert group, which is the group that is allowed to read certificate key files under /etc/ssl/private, at least in a default hardy install. -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
Another small problem with it; the AppArmor profile allows reading from /etc/ssl/certs/* and /etc/ssl/private/* - but because of this bug, you have to put the cert elsewhere, forcing one to break the AppArmor profile. As a temporary solution, the installer could add /etc/ldap/private/, owned by openldap:openldap and modify AppArmor to allow slapd to read from that directory? -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227744] Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64
Same problem here. I had to recreate the certificates. But not only for openldap, I had to recreate my CA certificate. This means I had to recreate all my server certificates. Not very nice. -- dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 https://bugs.launchpad.net/bugs/227744 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
