[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP with let's encrypt SSL certificate

To: Jonas Kellens <jonas.kellens@telenet.be>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: openLDAP with let's encrypt SSL certificate
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 1 Jan 2018 22:43:34 +0100
In-reply-to: <318f02ad-592a-a59b-2f19-c47b9ff93981@telenet.be>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <318f02ad-592a-a59b-2f19-c47b9ff93981@telenet.be>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1

Jonas Kellens wrote:
> I am trying to configure openLDAP on Centos 6.8 with SSL.

Note that OpenLDAP builds on RHEL/CentOS are linked against libnss and
you likely have to deal with certutil to prepare the cert and key DB.

> My /etc/openldap/slapd.conf file has the following lines :
> 
> TLSCACertificateFile /etc/letsencrypt/live/slap01.domain.tld/fullchain.pem
> TLSCertificateFile /etc/letsencrypt/live/slap01.domain.tld/cert.pem
> TLSCertificateKeyFile /etc/letsencrypt/live/slap01.domain.tld/privkey.pem

Unfortunately, even though the config directives use the very same
names, they have different meaning when linked against libnss.
Personally I consider this as a serious design flaw of the libnss support.

Example (from my memory):

# *directory* with libnss DB files
TLSCACertificatePath /etc/openldap/certs
# key alias used for server key
TLSCertificateFile server-key-alias
# pass-phrase file for using key DB file
TLSCertificateKeyFile /etc/openldap/certs/password

Ciao, Michael.

References:
- openLDAP with let's encrypt SSL certificate
  - From: Jonas Kellens <jonas.kellens@telenet.be>

Prev by Date: openLDAP with let's encrypt SSL certificate
Next by Date: Re: OpenLDAP slave failure in case of master indisponibility
Index(es):
- Chronological
- Thread