Description
The internal self-signed LDAP certificate (used for IDP ↔ IDM communication) expires after exactly 365 days and is never automatically renewed. After one year of uptime, login fails with HTTP 500:
ldap identifier backend logon connect error: LDAP Result Code 200 "Network Error":
tls: failed to verify certificate: x509: certificate has expired or is not yet valid
Root Cause:
In pkg/crypto/templates.go, the certificate validity is hardcoded to 365 days:
var acmeTemplate = x509.Certificate{
// ...
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour * 365),
// ...
}
In pkg/crypto/gencert.go, the GenCert function only checks if the certificate file exists — not whether it is still valid:
if certErr == nil || keyErr == nil {
// cert already exists → skip generation
return nil
}
This means the certificate is generated once on first startup and never rotated.
Impact
Every OpenCloud installation using the built-in IDM/LDAP will experience a complete login outage exactly one year after initial deployment.
Suggested Fix
On startup, GenCert should additionally check the certificate's NotAfter field and regenerate it if it is expired or expiring soon (e.g., within 30 days). This would make the rotation transparent and require no manual
intervention.
Workaround
Manually delete /var/lib/opencloud/idm/ldap.crt and /var/lib/opencloud/idm/ldap.key, then restart the OpenCloud container. A new certificate will be generated automatically.
Environment
- OpenCloud v6.2.0 (rolling)
- Docker Compose deployment
- Installation age: 1 year
Description
The internal self-signed LDAP certificate (used for IDP ↔ IDM communication) expires after exactly 365 days and is never automatically renewed. After one year of uptime, login fails with HTTP 500:
ldap identifier backend logon connect error: LDAP Result Code 200 "Network Error":
tls: failed to verify certificate: x509: certificate has expired or is not yet valid
Root Cause:
In
pkg/crypto/templates.go, the certificate validity is hardcoded to 365 days: