Looking at the debug log, it is expired.  It puzzle me because the certs on the other two machine are working correctly.

Since this is the case (certificate expires), is it safe to create a new one for this machine?

Gavin Henry wrote:
----- "Ivan Ordonez" <iordonez@nature.berkeley.edu> wrote:

  
Hi,

Our environment is consist of 3 domain controllers - 1 primary and 2 
backup.  All domain controller are running on Gentoo platform using 
Samba with Openldap for user login and authentication.  One of the 
backup domain controller has been acting up lately and will not start

samba properly.  A quick look at the log showed:

slapd[22380]: conn=94 op=0 RESULT oid= err=0 text=
slapd[22380]: conn=94 fd=11 closed (TLS negotiation failure)
slapd[22380]: conn=95 fd=11 ACCEPT from IP=127.0.0.1:54158
(IP=0.0.0.0:389)

It seems obvious that the issue is with certificate.  The certificate
we 
are using was created using the primary domain controller and were
then 
copied to both backup domain controller.  If I create a brand new 
certificate using the backup domain controller having certificate
issue, 
will that interfere with the certificate on the primary domain 
controller?  Will that cause confusion on the domain? Creating a brand

new certificate is the only solution I can think of to fix this issue.
    

http://www.openldap.org/faq/data/cache/185.html

Has one of your certs expired? By default OpenSSL scripts do 365 days.