Using Lets Encrypt certificates with openLDAP

Solution 1:

The fullchain.pem file is NOT a concatenation of the certificate chain above the cert.pem file, it is a concatenation of the chain.pem and cert.pem file.

The chain.pem file and the root authority file must be concatenated into the file you will present to slapd as olcTLSCACertificateFile

The privkey.pem file must be presented to slapd as olcTLSCertificateKeyFile.

The simple cert.pem file must be presented to slapd as olcTLSCertificateFile.

I am uncertain if the order of concatenation matters, but this is the order I used: cat chain.pem root.pem > ca.merged.crt

The openssl test you used shows everything is OK when set up like this.

The root authority file can be found here: https://www.identrust.com/certificates/trustid/root-download-x3.html

Test:

[root@█████ ssl]# openssl s_client -connect [REDACTED]:636 -showcerts -state -CAfile ca.merged.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = [REDACTED]
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/CN=[REDACTED]
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=[REDACTED]
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 4417 bytes and written 405 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: [REDACTED]
    Session-ID-ctx:
    Master-Key: [REDACTED]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1487882605
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Solution 2:

Do you have any extra security measures enabled (like apparmor) which restrict read access to your certificates? I got the same error message ldap_modify: Other (e.g., implementation specific) error (80) because apparmor did not allow access for openldap to the let's encrypt certificates:

The following steps resolved the issue for me:

  • Add line to /etc/apparmor.d/local/usr.sbin.slapd: /etc/letsencrypt/** r,

  • service apparmor restart


Solution 3:

Your OpenLDAP server doesn't appear to have TLS configured.

Your /etc/ldap/slapd.d/cn=config.ldif should have something like the following:

olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
olcTLSCACertificateFile: /etc/ldap/ssl/ldap_ca.cert
olcTLSCertificateFile: /etc/ldap/ssl/ldap.cert
olcTLSCipherSuite: HIGH:!aNull:!MD5:@STRENGTH
olcTLSProtocolMin: 3.1

You should add that in via ldapmodify.


Solution 4:

There is a beautiful blog post about this topic. It works for me https://www.dahlem.uk/display/deb/Configure+and+enable+TLS+for+OpenLDAP

Update (blog backup on archive.org):https://web.archive.org/web/20161023210915/http://www.dahlem.uk:80/display/deb/Configure+and+enable+TLS+for+OpenLDAP

My system is this:

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.8 (jessie)
Release:        8.8
Codename:       jessie

# slapd -V
@(#) $OpenLDAP: slapd  (Jul 16 2017 19:57:41) $
        Debian OpenLDAP Maintainers <[email protected]>

Here a quick run through. Handle file system access to letsencrypt ...

useradd letsencrypt
chown openldap:letsencrypt /etc/letsencrypt/ -R
usermod -a -G letsencrypt openldap

Activate services ...

# /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

And tell openldap about your certs ...

# /root/add_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/YOURDOMAIN/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/YOURDOMAIN/privkey.pem
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

Read in the ldif file ...

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl.ldif

Finally restart and check slapd.

systemctl restart slapd.service
systemctl status slapd.service

Solution 5:

I had the same problem setting up certifications from Lets Encrypt with OpenLDAP

The error:

~ # ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

The log files contain:

... apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/letsencrypt/archive/your.domain.tld/fullchain1.pem" ...

I have found the following solution:

  1. Edit file /etc/apparmor.d/usr.sbin.slapd
  2. Add line: /etc/letsencrypt/archive/your.domain.tld/* r,
  3. Restart *apparmor*:service apparmor restart`
  4. And now execute ldapmodify again