OpenLdap with LetsEncrypt

nkhine · February 5, 2018, 4:38pm

I am trying to configure OpenLDAP with LetsEncrypt, but get this error, when I run:

# LDAPTLS_CACERTDIR=/etc/letsencrypt/archive/ldap.domain.tld ldapsearch -LL -v -x -D "cn=Manager,dc=ldap,dc=domain,dc=tld" -H ldap://ldap.domain.tld -ZZ "(objectclass=*)" -d-3

ldap_msgfree
TLS: certdb config: configDir='/etc/letsencrypt/archive/ldap.domain.tld' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/letsencrypt/archive/ldap.domain.tld', error -8018:Unknown PKCS #11 error.
TLS: skipping 'cert1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'privkey1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'chain1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'fullchain1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 02 42 00                               0....B.
ldap_free_connection: actually freed

I have followed https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html to set up OpenLdap

Here is my certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

dn: cn=config
changetype: modify
replace: olcTLSCRLCheck
olcTLSCRLCheck: none

dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: try

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.domain.tld/fullchain.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/ldap.domain.tld/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.domain.tld/privkey.pem

What am I missing?

Any advice is much appreciated.

rg305 · February 5, 2018, 7:24pm

Does that file exist?
What are the attributes?

jmorahan · February 5, 2018, 7:46pm

I won't pretend to know anything about openldap, but based on those error messages it sort of looks like it's expecting this to point to a database of trusted root certificates, the sort of thing you'd find in /etc/ssl/certs on Ubuntu (don't know offhand where it is on CentOS edit: maybe /etc/pki/tls/certs), rather than the directory containing your Let's Encrypt certificate.

system · March 7, 2018, 7:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.