I'm not certain the hack redhat added to force openldap to use nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear to just use the PEM certs they would have used as if redhat never messed with forcing openldap to use nss, but rather left it at openssl. I did check and slapd is linked against the nss libs, but using the pem file in /etc/openldap/cacerts.

The fix for this might be as simple as linking the PEM version of the updated cert store into the directory where openldap is looking.

On Wed, Jun 3, 2020 at 11:32 AM Quanah Gibson-Mount <quanah@symas.com> wrote:

--On Wednesday, June 3, 2020 8:15 PM +0300 Леонид Юрьев
<leo@yuriev.ru> wrote:

> Seems this is
> https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.

Since RHEL6 is in use here, specifically see the linked tweet for
Fedora/RHEL in the above post.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Dale James Thompson, NWS
Radar Operations Center
IT Specialist, Configuration Management Team
1313 Halley Circle
Norman, OK 73069

Voice (405) 573-3472
Fax (405) 573-3480
Dale.J.Thompson@noaa.gov