OpenLDAP with LetsEncrypt certificates on Linux Mint 21.1 (Ubuntu)
I spent so many hours over the last couple of weeks reading articles all over Stack, blogs, and forums, and finally I found a combination of changes that made it work for me. Hoping this will help others.
If any of you find a mistake anywhere, please, do comment so it can be improved.
If it helped you, upvote it over on serverfault.
Based off of this blog post and so many others.
- Working OpenLDAP/slapd without ssl.
- Working LetsEncrypt (certs in /etc/letsencrypt structure).
Set the correct access permissions for the LetsEncrypt directories and files in two steps.
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live $ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive
Create /etc/apparmor.d/local/usr.sbin.slapd with the following content.
/etc/letsencrypt/live/your.domain.here r, /etc/letsencrypt/archive/your.domain.here r, /etc/letsencrypt/archive/your.domain.here/** r,
sudo service apparmor restart
These TLS settings may be necessary to add, or you may already have set them.
# /root/add_ssl.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
If you want/need them add them with:
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl_options.ldif
Add the LetsEncrypt certificates to your openldap by adding the following information to add_letsencrypt_ssl.ldif.
# /etc/ldap/add_letsencrypt_ssl.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem
and run this to import it:
ldapmodify -Y EXTERNAL -H ldapi:/// -f add_letsencrypt_ssl.ldif
If you haven't already enabled ldaps in /etc/default/slapd do that now.
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
sudo service slapd restart
Reload certificates when they are renewed
Put this in the /etc/ldap directory, so we can re-use it when the LetsEncrypt certificate is renewed).
# /etc/ldap/add_letsencrypt_ssl.ldif dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem
Then put this in /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd.
The name of the script can be whatever you want.
#!/bin/sh do if [ "$RENEWED_LINEAGE" = your.domain.here ] then ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/add_letsencrypt_ssl.ldif fi done
Make it executable.
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd
slapd should now auto-reload the certs after the certificates have been renewed, but not actually need to restart the daemon itself. So no noticeable downtime.
I don't really need any help with this, as it is now working, but feel free to comment and let me know if I could do something better/smarter.