LDAP for unix name services fails with "certificate has expired" after upgrade

Applies to

ONTAP 9

Issue

• After an upgrade LDAP for unix name services fails with "certificate has expired"

::> ldap check -vserver VSERVER

                  Vserver: VSERVER
Client Configuration Name: Unix
              LDAP Status: down
      LDAP Status Details: Error: Validate the Ldap configuration procedure failed
  [  0 ms] Hostname found in Name Service Cache
  [     0] IP Address found in Name Service Cache
  [     0] Resolved LDAP servers: 10.1.1.2. Vserver: vserverid
  [     1] Successfully connected to ip 10.1.1.2, port 389
           using TCP
  [     8] Unable to start TLS: Connect error
  [     8] Additional info: error:14090086:SSL
           routines:ssl3_get_server_certificate:certificate verify
           failed (certificate has expired)

• secd log also shows the expired certificate during name service lookups

  [    10] Unable to start TLS: Connect error
  [    10]   Additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired)

• This can affect NFS and other access relying on (unix user, unix groups, name mapping, netgroups) which are configured in the name-service switch to use ldap
• The server-ca certificate seen is valid (not expired)

::*> security certificate show -vserver VSERVER -type server-ca
Vserver    Serial Number   Certificate Name                       Type
---------- --------------- -------------------------------------- ------------
VSERVER
           01234567890ABCDEF01234567890ABCD
                           CERTIFICATENAME                        server-ca
    Certificate Authority: CERTIFICATEAUTHORITY
          Expiration Date: DAY MON DD hh:mm:ss YEAR

•  LDAP check may work with direct SSH into another node of the cluster