I want to issue certificates for my LDAP server and want to apply make it LDAPS. Is it possible?
Which server software are you running?
I am running 389-Directory server into Centos 7. I want to run my LDAP server through SSL/TLS. I can make it LDAPS through self signed certificate but I want authorized certificates.
If you are able to setup your software with self-signed certificates, you may also use certificates from Let's Encrypt.
Depending on what other services are running on that host, there may be some different ways to retrieve them via certbot. Just give it a try.
I think LDAPS requires Extended Key Usage 1.3.6.1.5.5.7.3.1 (Server Authentication):
The LDAPS certificate must meet the following X.509 certificate extension requirements:
The Extended Key Usage certificate extension must include the Server Authentication Object Identifier (OID): 1.3.6.1.5.5.7.3.1.
The Let's Encrypt CPS (ISRG CPS v2.0 - Let's Encrypt) indicates that "TLS Server Authentication" is one of the Extended Key Usages permitted, so I would guess yes.
Would be nice to get a confirmation from staff.
1 Like
1.3.6.1.5.5.7.3.1 is the OID for "TLS Server Authentication," in Let's Encrypt certificates, yeah.
I can't find any very authoritative specification, but it appears to be true.
1 Like
Above link demonstrates how to enable SSL into AD. But I am talking about LDAP which is purely Linux based service. e.g. 389-DS, Openldap etc.
I want steps how to issue certificates from “Let’s encrypt” and use them in my LDAP environment.
Thanks for support…
If you don’t have any kind of webserver running on your LDAP server, you can use certbot’s standalone mode to obtain a certificate. This spins up a temporary webserver in order to complete the validation process.
certbot certonly --standalone -d ldap.example.com
You will need port 80 or 443 open in your firewall for this to work, but you need no server running on these ports. I’m not sure which port certbot uses by default, if you only want to open one port you can pass --preferred-challenges http for port 80 or --preferred-challenges tls-sni for port 443.
If you do have a running web server on port 80/443, e.g. for a management interface, you will want to follow the instructions on the certbot site to obtain a certificate instead. This will set up your web server for SSL, and then you can reuse the certificate for your LDAP server.
Once you have a certificate, you can follow these instructions to import your certificate. You’ll find the certificate file at /etc/letsencrypt/live/ldap.yourdomain.com/cert.pem and chain file in the same directory in chain.pem.
Note that while certbot will be able to automatically renew your certificates, it won’t be able to update them with 389DS. If you don’t want to have to reimport the certificate manually every 2-3 months, you can create a deploy hook script that runs the commands to import the certificate into 389DS.
4 Likes
You can, just add the certificate file locations to the configuration of the software you want to use. It’s not just for websites.
You don't have to leave them permanently open. You can use certbot's Pre and Post hooks to open them for just as long as needed for the renewal. I've got a mail server running where I'm using LE certs for SMTP and IMAP where I recently got it set up just this way.
1 Like
Thank you for reply.
I have installed certbot into my machine and follow the process for standalone mode.
certbot certonly --standalone -d “my domain”
Error: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Received 5 certificate(s)
In this domain we have already issued certificates of my domain from another vendor and it is applied to my web server and mail server. But I want to issue different certificate from Let’s Encrypt for this specific machine without disturb my existing certificate and servers.
Que:
- Can I issue individual certificate in spite of having domain certificate from other vendor?
- If yes then what is the procedure for that?
- For that should I remove my existing certificates or disable my web server to issue new one?
Plz help in this…
Hi @locuz1,
You can’t use --standalone if you have an existing web server running. @Patches suggested this on the basis that you probably didn’t have an existing web server, but apparently you do. 
There are various options depending on what web server it is and whether it’s OK for you to reconfigure it and/or stop it temporarily, as well as whether you could update your DNS zone records via an API.
Hi @schoen
Thanks for support.
As of now we can’t reconfigure or stop our web server. Is there a way to issue LE certificate without disturbing anything? 
Are you using a domain specifically for LDAP like ldap.example.com or do you use the same domain as a/the web site? Is there some sort of virtual host for the ldap domain or does it just return a different website?
Would you mind certbot hot reloading your web server without interrupting traffic? If you are using Apache or nginx it can validate any domain listening on the IP address by configuring your web server with a special certificate only the validation server can see. This doesn’t affect your running sites at all.
Otherwise you have to figure out which website is listening on the domain so you can tell certbot to place a verification file there, or configure a virtual host so you can serve the verification file.
There’s also DNS TXT verification when you really can’t touch anything about the website at all, but your DNS provider needs to offer an API or you have to deal with it manually every 2-3 months.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.