Has anyone had success using letsencrypt with openldap 2.4?


#1

When I try to use letsencrypt certificates with openldap 2.4 it won’t start and looking at the logs I see the following errors:

TLS: could not use certificate `/data/letsencrypt/live/example.com/cert.pem'.
TLS: error:0200100D:system library:fopen:Permission denied /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:391
TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:393
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:438
57226a61 main: TLS init def ctx failed: -1
57226a61 slapd destroy: freeing system resources.
57226a61 slapd stopped.
57226a61 connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

Here’s the relevant snipet from slapd.conf:

# TLS STUFF
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /data/letsencrypt/live/example.com/fullchain.pem
TLSCertificateFile /data/letsencrypt/live/example.com/cert.pem
TLSCertificateKeyFile /data/letsencrypt/live/example.com/privkey.pem

TLSVerifyClient try

I’ve tried fiddling with permissions, giving the path to the “real” certificate files instead of the symlinks, etc. but nothing seems to work.

One thing I did find is that I had to reverse the order of the certificates in “fullchain.pem” openldap would complain about that but that didn’t help with the other error at all.

Any ideas?


#2

Haven’t tried with openldap, but I have to say those errors really do look exactly like a permission problem.

Thus I recommend you figure out which user account runs the slapd and use sudo or similar to become that user. As that user can you cat the PEM files? If not, fix that, and very likely this error (and perhaps all your trouble) is fixed.

If you can read them when impersonating that user, but slapd can’t then reasons to investigate might include:

  • Do you have SELinux enforcing mode? Read the policy documentation to see if slapd certificates must be stored in a specific place under the enforced policy.
  • Do you run the slapd in a “chroot” jail or similar, so that it sees a different filesystem layout or permissions?

#3

Make sure you give sufficient permissions to openldap first:

useradd letsencrypt
chown openldap:letsencrypt /etc/letsencrypt/ -R
usermod -a -G letsencrypt openldap

Additionally if you have apparmor installed on the server, you might want to configure it correctly or just disable it for slapd.


#4

Thanks for the hints. I’d tried everything I could think of permissions wise but didn’t think to check the “archive” folder permissions. It was set to 700 / root:wheel so once I relaxed the permissions on that folder a little then all was well.

Thank you all for the help!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.