When I try to use letsencrypt certificates with openldap 2.4 it won’t start and looking at the logs I see the following errors:
TLS: could not use certificate `/data/letsencrypt/live/example.com/cert.pem'.
TLS: error:0200100D:system library:fopen:Permission denied /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:391
TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:393
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:438
57226a61 main: TLS init def ctx failed: -1
57226a61 slapd destroy: freeing system resources.
57226a61 slapd stopped.
57226a61 connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
Here’s the relevant snipet from slapd.conf:
# TLS STUFF
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /data/letsencrypt/live/example.com/fullchain.pem
TLSCertificateFile /data/letsencrypt/live/example.com/cert.pem
TLSCertificateKeyFile /data/letsencrypt/live/example.com/privkey.pem
TLSVerifyClient try
I’ve tried fiddling with permissions, giving the path to the “real” certificate files instead of the symlinks, etc. but nothing seems to work.
One thing I did find is that I had to reverse the order of the certificates in “fullchain.pem” openldap would complain about that but that didn’t help with the other error at all.
Any ideas?