Changing SSSD cert
After re-provisioning my Samba 4 domain, I found SSSD giving m a strange error: :
ldap_install_tls failed: [Connect error]
[TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.]
It seems SSSD caches the ca cert of your ldap service (even if you change the SSSD domain name). I couldn't find where to flush this, but changing some of the tls options will fix it.
In SSSD.conf:
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_tls_reqcert = demand
Now to make the cacertdir work you need to run
cacertdir_rehash /usr/local/samba/private/tls
Your SSSD should now be working again.