Forums

Resolved
0 votes
Hello all,
I imported into my system a wildcard certificate. I installed it and declare it to use with the webconfig console.
Now, I need to connect to my OpenLDAP server from other applications and I wanted to use my certificate. But, as I can see, my OpenLDAP still use my orginal self-signed certificate.
Is there a way to change that to make my ldap use my imported certificate ?
Thanks to all for your help
Monday, April 06 2020, 07:30 AM
Share this post:

Accepted Answer

Monday, April 06 2020, 09:18 PM - #Permalink
Resolved
0 votes
The reply is currently minimized Show
Responses (16)
  • Accepted Answer

    Tuesday, April 07 2020, 05:40 PM - #Permalink
    Resolved
    0 votes
    Hello Nick,
    I finally was able to change my certificate for my OpenLDAP server ....
    so many hours lost , sorry for that.
    Finally, changing the name of my certificates was a (very) bad idea...
    I just copied them without changing anything to my clearos folder and modified the entries in my slapd.conf file..
    Let me know if you need more informations
    Thanks very much for your help
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 08:46 PM - #Permalink
    Resolved
    0 votes
    ok, thank you very much Nich, I'll re-read the whole
    Have a good night
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 08:16 PM - #Permalink
    Resolved
    0 votes
    Please re-read my first post.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 08:11 PM - #Permalink
    Resolved
    0 votes
    yes I will but ...(please don't shout at me)

    in the slapd.conf file, you have 3 lines to config the certificates.

    TLSCACertificateFile

    TLSCertificateFile
    TLSCertificateKeyFile

    I've these 3 different files but If I combine 2 of them I could only fill in two of the three lines .. so If I understant correctly what you wrote here above :

    cat /etc/clearos/certificate_manager.d/GFBienne.crt  /etc/clearos/certificate_manager.d/GFBienne.key > /etc/clearos/certificate_manager.d/GFBienne.combined


    you combine the certificate and the key in 1 file. So there will still be the CA file.

    so I'll define my

    TLSCACertificateFile /etc/clearos/certificate_manager.d/GFBienne.intermediate


    and maybe

    TLSCertificateFile /etc/clearos/certificate_manager.d/GFBienne.combined



    and so I let the option
    TLSCertificateKeyFile
    empty ?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 07:31 PM - #Permalink
    Resolved
    0 votes
    No:
    cat /etc/clearos/certificate_manager.d/GFBienne.crt  /etc/clearos/certificate_manager.d/GFBienne.key > /etc/clearos/certificate_manager.d/GFBienne.combined


    You should be replacing the existing entries, not adding to them, so it should not be using the ClearOS ones.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 06:36 PM - #Permalink
    Resolved
    0 votes
    :) thanks very much Nick .. sorry for my bad english . .. trying to do my best ;)

    I found a post to combine 2 certificates :
    cat my_site.pem ca_chain.pem my_site.key > combined_cert.pem


    but then, If I correctly understand, I'll have in my sldap.conf file 2 different cerfifcates ; the one I've with my official domain name (gfbienne.ch) and the one created by clearos ?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 03:18 PM - #Permalink
    Resolved
    0 votes
    Noooooooo! Also I thought you were using Let's Encrypt.

    Put your intermediate certificate and certificate into a single file. I don't know if the order matters. if it does, look an a Let's Encrypt fullchain file. Then:
    TLSCACertificateFile     /etc/pki/tls/certs/ca-bundle.crt
    TLSCertificateFile /etc/clearos/certificate_manager.d/GFBienne.combined
    TLSCertificateKeyFile /etc/clearos/certificate_manager.d/GFBienne.key


    [edit]
    Edited slightly to combine the certificates
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 02:33 PM - #Permalink
    Resolved
    0 votes
    sorry,
    Maybe I misunderstood what you wrote.
    So, I added ldap to the ssl-cert group and i just made a try with the orignial certificates :

    [root@master certificate_manager.d]# usermod -a -G ssl-cert ldap


    and i just made a try with the orignial certificates :

    TLSCACertificateFile     /etc/clearos/certificate_manager.d/GFBienne.intermedidate
    TLSCertificateFile /etc/clearos/certificate_manager.d/GFBienne.crt
    TLSCertificateKeyFile /etc/clearos/certificate_manager.d/GFBienne.key


    but I still have the same error :

    [root@master certificate_manager.d]# systemctl status slapd -l
    ● slapd.service - OpenLDAP Server Daemon
    Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since lun. 2020-04-06 16:30:33 CEST; 2min 27s ago
    Docs: man:slapd
    man:slapd-config
    man:slapd-hdb
    man:slapd-mdb
    file:///usr/share/doc/openldap-servers/guide.html
    Process: 7697 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
    Process: 7667 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)
    Main PID: 30479 (code=exited, status=0/SUCCESS)

    avril 06 16:30:33 master.gfb.lan prestart.sh[7667]: Configuration directory '/etc/openldap/slapd.d' does not exist.
    avril 06 16:30:33 master.gfb.lan prestart.sh[7667]: Warning: Usage of a configuration file is obsolete!
    avril 06 16:30:33 master.gfb.lan runuser[7671]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
    avril 06 16:30:33 master.gfb.lan runuser[7671]: pam_unix(runuser:session): session closed for user ldap
    avril 06 16:30:33 master.gfb.lan slapd[7697]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 11 2019 15:35:58) $
    root@build-x86_64-1.orem.clearos.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
    avril 06 16:30:33 master.gfb.lan systemd[1]: slapd.service: control process exited, code=exited status=1
    avril 06 16:30:33 master.gfb.lan systemd[1]: Failed to start OpenLDAP Server Daemon.
    avril 06 16:30:33 master.gfb.lan systemd[1]: Unit slapd.service entered failed state.
    avril 06 16:30:33 master.gfb.lan systemd[1]: slapd.service failed.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 11:51 AM - #Permalink
    Resolved
    0 votes
    Please re-read my initial post, especially regarding the CA and try using the certificates unconverted. For diagnostics try
    systemctl status slapd -l
    If that returns nothing search the forum for starting slapd in interactive mode.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 10:25 AM - #Permalink
    Resolved
    0 votes
    thans Nick.

    Yes, there's no other error message. Just changing the certficates in my slapd.conf cause this error :

    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args

    # TLSCACertificateFile /etc/openldap/certs/clearos-ca-cert.pem
    # TLSCertificateFile /etc/openldap/certs/clearos-cert.pem
    # TLSCertificateKeyFile /etc/openldap/certs/clearos-key.pem

    TLSCACertificateFile /etc/clearos/certificate_manager.d/GFBienne-CA.pem
    TLSCertificateFile /etc/clearos/certificate_manager.d/GFBienne.pem
    TLSCertificateKeyFile /etc/clearos/certificate_manager.d/GFBienne-key.pem


    I was able to create my keyfile using , as you said, the rsa option
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 10:04 AM - #Permalink
    Resolved
    0 votes
    Arnaud Forster wrote:

    Ok, so I'm gonna try to copy an rename it.

    Here was the error message I get when trying to convert my key file :

    [root@master certificate_manager.d]# openssl x509 -text -outform der -in GFBienne.key -out GFBienne-key.pem
    unable to load certificate
    140612166498192:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    [root@master certificate_manager.d]# ls -l
    Use "rsa" and not "x509" for keys.

    You'd have to find out why slapd failed to start. There is no clue in the message you posted. Did you remember to make the user ldap a member of ssl-certs?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 09:42 AM - #Permalink
    Resolved
    0 votes
    O, I was able to convert / rename my certificates but my ldap server refuse them ...

    ...

    Process: 9003 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
    Process: 8975 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)
    Main PID: 30479 (code=exited, status=0/SUCCESS)

    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Configuration directory '/etc/openldap/slapd.d' does not exist.
    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Warning: Usage of a configuration file is obsolete!
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session closed for user ldap
    avril 06 11:40:33 master.gfb.lan slapd[9003]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 11 2019 15:35:58) $
    root@build-x86_64-1.orem.clearos.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
    avril 06 11:40:33 master.gfb.lan systemd[1]: slapd.service: control process exited, code=exited status=1


    i probably, as you sais, need to copy my certificate in /etc/pki/tls/certs/...
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 09:34 AM - #Permalink
    Resolved
    0 votes
    Ok, so I'm gonna try to copy an rename it.

    Here was the error message I get when trying to convert my key file :

    [root@master certificate_manager.d]# openssl x509 -text -outform der -in GFBienne.key -out GFBienne-key.pem
    unable to load certificate
    140612166498192:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    [root@master certificate_manager.d]# ls -l
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 09:21 AM - #Permalink
    Resolved
    0 votes
    Did slapd give an error? I think you can just rename the certificates.

    Note that if you're using Let's Encrypt certificates you won't want to go through the Import Certificate route as it cannot be automated for every time the Let's Encrypt certificate updates. You'll want to do somethng like rsync them across from the originating server. Then have the receiving sever watch for new certificates being received, move them into place and restart slapd.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 08:18 AM - #Permalink
    Resolved
    0 votes
    Hello Nick,
    Yes thanls for that, I found the file ... but nex problem .. it seems slapd use .pem certficates and mine are crt ; intermediate and .key ones. I successfully converte my .cert and my .intermediate to .pem certificates but noway for the .key one.

    I'll look for that .key file to be converted, If I can't, I'll use the CA certificate.

    I come back with the details .
    thanks
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 06 2020, 08:08 AM - #Permalink
    Resolved
    0 votes
    I am not sure that you need to. Generally, I believe, you can just import the ClearOS CA into the third party apps.

    If you do want to use Let's Encrypt certificates, have a look at the Let's Encrypt howto and adapt one of the cyrus-imap or smtp/postfix methods. The file you need to edit is probably /etc/openldap/slapd.conf where there are three PEM entries. Guessing, but TLSCACertificateFile must point to the CA bundle (/etc/pki/tls/certs/ca-bundle.crt), TLSCertificateFile to your fullchain file and TLSCertificateKeyFile to your key file. When you get it all working and have confirmed it is is working with your third part app, please post back with the details and I'll add it to the howto.
    The reply is currently minimized Show
Your Reply