When I try to use letsencrypt certificates with openldap 2.4 it won’t start and looking at the logs I see the following errors:
TLS: could not use certificate `/data/letsencrypt/live/example.com/cert.pem'. TLS: error:0200100D:system library:fopen:Permission denied /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:391 TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:393 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:438 57226a61 main: TLS init def ctx failed: -1 57226a61 slapd destroy: freeing system resources. 57226a61 slapd stopped. 57226a61 connections_destroy: nothing to destroy. /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
Here’s the relevant snipet from slapd.conf:
# TLS STUFF TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /data/letsencrypt/live/example.com/fullchain.pem TLSCertificateFile /data/letsencrypt/live/example.com/cert.pem TLSCertificateKeyFile /data/letsencrypt/live/example.com/privkey.pem TLSVerifyClient try
I’ve tried fiddling with permissions, giving the path to the “real” certificate files instead of the symlinks, etc. but nothing seems to work.
One thing I did find is that I had to reverse the order of the certificates in “fullchain.pem” openldap would complain about that but that didn’t help with the other error at all.