I am trying to configure OpenLDAP with LetsEncrypt, but get this error, when I run:
# LDAPTLS_CACERTDIR=/etc/letsencrypt/archive/ldap.domain.tld ldapsearch -LL -v -x -D "cn=Manager,dc=ldap,dc=domain,dc=tld" -H ldap://ldap.domain.tld -ZZ "(objectclass=*)" -d-3
ldap_msgfree
TLS: certdb config: configDir='/etc/letsencrypt/archive/ldap.domain.tld' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/letsencrypt/archive/ldap.domain.tld', error -8018:Unknown PKCS #11 error.
TLS: skipping 'cert1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'privkey1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'chain1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'fullchain1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
0000: 30 05 02 01 02 42 00 0....B.
ldap_free_connection: actually freed
I have followed https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html to set up OpenLdap
Here is my certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
dn: cn=config
changetype: modify
replace: olcTLSCRLCheck
olcTLSCRLCheck: none
dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: try
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.domain.tld/fullchain.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/ldap.domain.tld/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.domain.tld/privkey.pem
What am I missing?
Any advice is much appreciated.