Profile Details

Toggle Sidebar
Loading cover... Drag cover to reposition
Recent updates
  • Hello Nick,
    I finally was able to change my certificate for my OpenLDAP server ....
    so many hours lost , sorry for that.
    Finally, changing the name of my certificates was a (very) bad idea...
    I just copied them without changing anything to my clearos folder and modified the entries in my slapd.conf file..
    Let me know if you need more informations
    Thanks very much for your help

  • ok, thank you very much Nich, I'll re-read the whole
    Have a good night

  • yes I will but ...(please don't shout at me)

    in the slapd.conf file, you have 3 lines to config the certificates.

    TLSCACertificateFile

    TLSCertificateFile
    TLSCertificateKeyFile

    I've these 3 different files but If I combine 2 of them I could only fill in two of the three lines .. so If I understant correctly what you wrote here above :



    you combine the certificate and the key in 1 file. So there will still be the CA file.

    so I'll define my

    TLSCACertificateFile /etc/clearos/certificate_manager.d/GFBienne.intermediate


    and maybe

    TLSCertificateFile /etc/clearos/certificate_manager.d/GFBienne.combined



    and so I let the option
    TLSCertificateKeyFile
    empty ?

  • :) thanks very much Nick .. sorry for my bad english . .. trying to do my best ;)

    I found a post to combine 2 certificates :

    cat my_site.pem ca_chain.pem my_site.key > combined_cert.pem


    but then, If I correctly understand, I'll have in my sldap.conf file 2 different cerfifcates ; the one I've with my official domain name (gfbienne.ch) and the one created by clearos ?

  • sorry,
    Maybe I misunderstood what you wrote.
    So, I added ldap to the ssl-cert group and i just made a try with the orignial certificates :


    [root@master certificate_manager.d]# usermod -a -G ssl-cert ldap


    and i just made a try with the orignial certificates :



    but I still have the same error :

  • thans Nick.

    Yes, there's no other error message. Just changing the certficates in my slapd.conf cause this error :



    I was able to create my keyfile using , as you said, the rsa option

  • O, I was able to convert / rename my certificates but my ldap server refuse them ...

    ...


    Process: 9003 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
    Process: 8975 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)
    Main PID: 30479 (code=exited, status=0/SUCCESS)

    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Configuration directory '/etc/openldap/slapd.d' does not exist.
    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Warning: Usage of a configuration file is obsolete!
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session closed for user ldap
    avril 06 11:40:33 master.gfb.lan slapd[9003]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 11 2019 15:35:58) $
    root@build-x86_64-1.orem.clearos.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
    avril 06 11:40:33 master.gfb.lan systemd[1]: slapd.service: control process exited, code=exited status=1

  • Ok, so I'm gonna try to copy an rename it.

    Here was the error message I get when trying to convert my key file :

    [root@master certificate_manager.d]# openssl x509 -text -outform der -in GFBienne.key -out GFBienne-key.pem
    unable to load certificate
    140612166498192:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    [root@master certificate_manager.d]# ls -l

  • Hello Nick,
    Yes thanls for that, I found the file ... but nex problem .. it seems slapd use .pem certficates and mine are crt ; intermediate and .key ones. I successfully converte my .cert and my .intermediate to .pem certificates but noway for the .key one.

    I'll look for that .key file to be converted, If I can't, I'll use the CA certificate.

    I come back with the details .
    thanks

  • Use imported certificate to connect to LDAP Server

    Hello all,
    I imported into my system a wildcard certificate. I installed it and declare it to use with the webconfig console.
    Now, I need to connect to my OpenLDAP server from other applications and I wanted to use my certificate. But, as I can see, my OpenLDAP still use my orginal self-signed certificate.
    Is there a way to change that to make my ldap use my imported certificate ?
    Thanks to all for your help