[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and LetsEncrypt certificates: does a cert renewal necessitate a server restart?



Olivier wrote:
> Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca> writes:
> 
>> As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates.
>> Is there a way to make slapd aware of a cert renewal (they happen every 90
>> days) without restarting it, ie, with minimal service interruption?
> 
> I *do* restart slapd after I installed the new Let's Encrypt
> certificate.

Use ldapmodify to set the new cert in cn=config. No restarts needed.
> 
> I doubt there are any other way to make LDAp server aware of the
> certificate change. And this is a 20 seconds interruption, nothing worth
> mentioning (or you are a big organization, then you have redundant LDAP
> servers and you would upgrade one at a time so it should be transparent
> to your users).
> 
> Best regards,
> 
> Olivier
> 
>>
>> thanks,
>> jf
>>
>>
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/