If you don’t have any kind of webserver running on your LDAP server, you can use certbot’s standalone mode to obtain a certificate. This spins up a temporary webserver in order to complete the validation process.
certbot certonly --standalone -d ldap.example.com
You will need port 80 or 443 open in your firewall for this to work, but you need no server running on these ports. I’m not sure which port certbot uses by default, if you only want to open one port you can pass
--preferred-challenges http for port 80 or
--preferred-challenges tls-sni for port 443.
If you do have a running web server on port 80/443, e.g. for a management interface, you will want to follow the instructions on the certbot site to obtain a certificate instead. This will set up your web server for SSL, and then you can reuse the certificate for your LDAP server.
Once you have a certificate, you can follow these instructions to import your certificate. You’ll find the certificate file at
/etc/letsencrypt/live/ldap.yourdomain.com/cert.pem and chain file in the same directory in
Note that while certbot will be able to automatically renew your certificates, it won’t be able to update them with 389DS. If you don’t want to have to reimport the certificate manually every 2-3 months, you can create a deploy hook script that runs the commands to import the certificate into 389DS.