2

I currently have a stack of iRedMail installed,and one of the services is an OpenLDAP 2.4 version,which I am unable to configure properly for a certificate other than iRedMail which is stored on /etc/ssl/certs and /etc/ssl/private.

Whenever I try to start slapd with the letsencrypt certificates it fails with

58c03b6a main: TLS init def ctx failed: -1

Now,I was guessing file permission issues on the certificates so I have tried and doublechecked the following

  • Changed ownership of letsencrypt to openldap user.
  • Run cats as openldap user and verified it can read the certificates.
  • Added letsencrypt live folder to slapd's apparmor permissions.
  • Doublechecked that letsencrypt files are pure pem formatted certs and keys.

And still it refuses to start slapd properly,while throwing the tls error which from ssl.h corresponds to SSL_ERROR_SSL and offers no more insight on what's failing.

Could it be because letsencrypt uses symlinks? Or something with the certificates from letsencrypt? Has anyone used them successfully with OpenLdap and slapd?

I am at a loss here. Any help would be welcome.

devnull
  • 21
  • 4
  • Can you supply the bits of the openldap config relating to SSL? Have you been able to configure OpenLDAP with non letsencrypt certificates e.g. self-signed? – IanB Mar 08 '17 at 21:13
  • 1
    In slapd.conf TLSCACertificateFile /etc/letsencrypt/live/domain/chain.pem TLSCertificateFile /etc/letsencrypt/live/domain/cert.pem TLSCertificateKeyFile /etc/ssl/letsencrypt/live/domain/privkey.pem – devnull Mar 08 '17 at 21:26
  • Are you sure Openldap is configured to use slapd.conf (rather than OLC)? Please also try self-signed cert, just to verify. – IanB Mar 09 '17 at 21:49
  • Self-signed cert works just fine. – devnull Mar 09 '17 at 23:25

1 Answers1

0

First, make sure you have installed the certificate as indicated on the official website (and the documentation of your Linux distribution).

Then, check access permission accorded to slapd user on th archive folder of the certificate installation location (archive_dir parameter of certificate’s renewal configuration, typically /etc/ssl/letsencrypt/archive/ for your installation). The user who run slapd must have read access to this folder.

The problem seem to be security issue and very close to this one.

Abdelhamid MEDDEB
  • 461
  • 4
  • 5