Bug 57317 - slapd did not start during initial setup due to missing SSL certificate
slapd did not start during initial setup due to missing SSL certificate
Status: NEW
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-23 11:22 CEST by Dirk Wiesenthal
Modified: 2024-05-23 13:42 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2024-05-23 11:22:42 CEST
Seen (once) in the Jenkins jobs (5.0-7):

slapd did not start during the initial setup, thus the join could not complete and the whole job failed.

From the syslog:

May 22 23:21:28 unassigned-hostname root: /etc/init.d/slapd start (pid: 4671, ppid:    1 systemd)
May 22 23:21:28 unassigned-hostname slapd[4734]: @(#) $OpenLDAP: slapd  (May 17 2024 16:20:42) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
May 22 23:21:28 unassigned-hostname slapd[4734]: main: TLS init def ctx failed: -1
May 22 23:21:28 unassigned-hostname slapd[4734]: slapd stopped.
May 22 23:21:28 unassigned-hostname slapd[4734]: connections_destroy: nothing to destroy.
May 22 23:21:28 unassigned-hostname slapd[4671]: Starting ldap server(s): slapd ...failed.
May 22 23:21:28 unassigned-hostname systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE
May 22 23:21:28 unassigned-hostname systemd[1]: slapd.service: Failed with result 'exit-code'.
May 22 23:21:28 unassigned-hostname systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Comment 1 Julia Bremer univentionstaff 2024-05-23 13:42:30 CEST
Additional info:
In the setup.log one can see this: 
Slapd failed to start during the certificate generation.
Somehow this looks like slapd is restarted while the certificate is still actively being created:


[master091] 2024-05-22T21:21:14.107185	__MSG__:Backing up old SSL certificate
[master091] 2024-05-22T21:21:14.170418	Wed May 22 23:21:14 CEST 2024
[master091] 2024-05-22T21:21:14.170828	__STEP__:5
[master091] 2024-05-22T21:21:14.176389	__MSG__:Generating SSL CA certificate.
[master091] 2024-05-22T21:21:20.227595	Generating RSA private key, 2048 bit long modulus (2 primes)
[master091] 2024-05-22T21:21:20.690903	...........................................................................................................................+++++
[master091] 2024-05-22T21:21:20.951841	....................................................................+++++
[master091] 2024-05-22T21:21:20.952099	e is 65537 (0x010001)
[master091] 2024-05-22T21:21:20.995697	Clearing symlinks in /etc/ssl/certs...
[master091] 2024-05-22T21:21:23.247696	done.
[master091] 2024-05-22T21:21:23.247696	Updating certificates in /etc/ssl/certs...
[master091] 2024-05-22T21:21:26.740889	137 added, 0 removed; done.
[master091] 2024-05-22T21:21:26.740889	Running hooks in /etc/ca-certificates/update.d...
[master091] 2024-05-22T21:21:26.748018	done.
[master091] 2024-05-22T21:21:26.833972	Getting request Private Key
[master091] 2024-05-22T21:21:26.834119	Generating certificate request
[master091] 2024-05-22T21:21:26.881403	Using configuration from /etc/univention/ssl/openssl.cnf
[master091] 2024-05-22T21:21:26.933462	__STEP__:7
[master091] 2024-05-22T21:21:26.940830	__STEP__:9
[master091] 2024-05-22T21:21:28.954878	Job for slapd.service failed because the control process exited with error code.
[master091] 2024-05-22T21:21:28.954878	See "systemctl status slapd.service" and "journalctl -xe" for details.
[master091] 2024-05-22T21:21:30.549470	__STEP__:10
[master091] 2024-05-22T21:21:31.712566	Creating certificate: master091.AutoTest091.test
[master091] 2024-05-22T21:21:32.873343	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:33.975019	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:35.069139	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:36.156258	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:37.267435	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:38.361143	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:39.445981	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:40.526812	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:41.601464	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:42.683585	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:43.755122	ldap_start_tls: Can't contact LDAP server (-1)
[master091] 2024-05-22T21:21:46.295260	Generating RSA private key, 2048 bit long modulus (2 primes)
[master091] 2024-05-22T21:21:46.558903	...................................................................+++++
[master091] 2024-05-22T21:21:46.884414	........................................................................................+++++
[master091] 2024-05-22T21:21:46.884632	e is 65537 (0x010001)
[master091] 2024-05-22T21:21:47.127688	Using configuration from /etc/univention/ssl/openssl.cnf
[master091] 2024-05-22T21:21:47.128246	Check that the request matches the signature
[master091] 2024-05-22T21:21:47.130250	Signature ok
[master091] 2024-05-22T21:21:47.130346	The Subject's Distinguished Name is as follows
[master091] 2024-05-22T21:21:47.130836	countryName           :PRINTABLE:'DE'
[master091] 2024-05-22T21:21:47.141733	stateOrProvinceName   :PRINTABLE:'DE'
[master091] 2024-05-22T21:21:47.142319	localityName          :PRINTABLE:'DE'
[master091] 2024-05-22T21:21:47.142999	organizationName      :PRINTABLE:'DE'
[master091] 2024-05-22T21:21:47.145322	organizationalUnitName:PRINTABLE:'Univention Corporate Server'
[master091] 2024-05-22T21:21:47.147112	commonName            :PRINTABLE:'master091.AutoTest091.test'
[master091] 2024-05-22T21:21:47.147626	emailAddress          :IA5STRING:'ssl@'
[master091] 2024-05-22T21:21:47.147940	Certificate is to be certified until May 21 21:21:46 2029 GMT (1825 days)
[master091] 2024-05-22T21:21:47.148077	Write out database with 1 new entries
[master091] 2024-05-22T21:21:47.148152	Data Base Updated