OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)
I spent so many hours over the last couple of weeks reading articles all over Stack, blogs, and forums, and finally I found a combination of changes that made it work for me. Hoping this will help others.
If any of you find a mistake anywhere, please, do comment so it can be improved.
If it helped you, upvote it over on serverfault.
Based off of this blog post and so many others.
Requirements:
- Working OpenLDAP/slapd without ssl.
- Working LetsEncrypt (certs in /etc/letsencrypt structure).
Set the correct access permissions for the LetsEncrypt directories and files in two steps.
setfacl
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive
apparmor
Create /etc/apparmor.d/local/usr.sbin.slapd with the following content.
/etc/letsencrypt/live/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here/** r,
Restart apparmor.
sudo service apparmor restart
These TLS settings may be necessary to add, or you may already have set them.
# /root/add_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
If you want/need them add them with:
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl_options.ldif
Add the LetsEncrypt certificates to your openldap by adding the following information to add_letsencrypt_ssl.ldif.
# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem
and run this to import it:
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_letsencrypt_ssl.ldif
If you haven't already enabled ldaps in /etc/default/slapd do that now.
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
Restart openldap
sudo service slapd restart
Reload certificates when they are renewed
Put this in the /etc/ldap directory, so we can re-use it when the LetsEncrypt certificate is renewed).
# /etc/ldap/add_letsencrypt_ssl.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem
Then put this in /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd.
The name of the script can be whatever you want.
#!/bin/sh
do
if [ "$RENEWED_LINEAGE" = your.domain.here ]
then
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/add_letsencrypt_ssl.ldif
fi
done
Make it executable.
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd
slapd should now auto-reload the certs after the certificates have been renewed, but not actually need to restart the daemon itself. So no noticeable downtime.
I don't really need any help with this, as it is now working, but feel free to comment and let me know if I could do something better/smarter.