OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)

OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)

I spent so many hours over the last couple of weeks reading articles all over Stack, blogs, and forums, and finally I found a combination of changes that made it work for me. Hoping this will help others.

If any of you find a mistake anywhere, please, do comment so it can be improved.
If it helped you, upvote it over on serverfault.

Based off of this blog post and so many others.


  • Working OpenLDAP/slapd without ssl.
  • Working LetsEncrypt (certs in /etc/letsencrypt structure).

Set the correct access permissions for the LetsEncrypt directories and files in two steps.


$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive


Create /etc/apparmor.d/local/usr.sbin.slapd with the following content.

/etc/letsencrypt/live/ r,
/etc/letsencrypt/archive/ r,
/etc/letsencrypt/archive/** r,

Restart apparmor.

sudo service apparmor restart 

These TLS settings may be necessary to add, or you may already have set them.

# /root/add_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
add: olcTLSCRLCheck
olcTLSCRLCheck: none
add: olcTLSVerifyClient
olcTLSVerifyClient: never
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

If you want/need them add them with:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl_options.ldif

Add the LetsEncrypt certificates to your openldap by adding the following information to add_letsencrypt_ssl.ldif.

# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/

and run this to import it:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_letsencrypt_ssl.ldif

If you haven't already enabled ldaps in /etc/default/slapd do that now.

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart openldap

sudo service slapd restart

Reload certificates when they are renewed

Put this in the /etc/ldap directory, so we can re-use it when the LetsEncrypt certificate is renewed).

# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/

Then put this in /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd.
The name of the script can be whatever you want.

        if [ "$RENEWED_LINEAGE" = ]
                ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/add_letsencrypt_ssl.ldif

Make it executable.

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd

slapd should now auto-reload the certs after the certificates have been renewed, but not actually need to restart the daemon itself. So no noticeable downtime.

I don't really need any help with this, as it is now working, but feel free to comment and let me know if I could do something better/smarter.


I would rename /etc/ldap/add_letsencrypt_ssl.ldif to /etc/ldap/reload_letsencrypt_ssl.ldif or something similar, just to make it easier for anyone else who is maintaining that server to understand what is going on.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.