1 Topic by transitriders (edited by transitriders 2021-02-09 03:35:31)

  • transitriders
  • Member
  • Offline
  • Registered: 2021-02-08
  • Posts: 2

Topic: Can't get slapd to start when TLS is enabled

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Ubuntu 20.04 & Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Not
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

Feb  8 18:47:23 ml slapd[5390]: @(#) $OpenLDAP: slapd  (Jan 22 2021 03:54:40) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Feb  8 18:47:23 ml slapd[5390]: main: TLS init def ctx failed: -1
Feb  8 18:47:24 ml slapd[5390]: slapd stopped.
Feb  8 18:47:24 ml slapd[5390]: connections_destroy: nothing to destroy.

====

When I uncomment TLSCACertificateFile..., TLSCertificateFile..., TLSCertificateKeyFile... in  /etc/ldap/slapd.conf, slapd will not start.  SSL certificate is Lestencrypt, and it works fine for Nginx (iredadmin, sogo, etc.) after following the instructions in the documentation.

I've tried changing the paths in /etc/ldap/slapd.conf directly to /etc/letsencrypt/... and even to custom directories to where I copied the certificates.  I tried changing ownership to openldap:openldap on all directories and subdirectories and cert files.  I've even tried setting permissions to 777 (the server is not in production, obviously).  It doesn't seem to be a permissions issue. 

I tried setting slapd apparmor profile to 'complain', editing the profile manually, disabling apparmor, and even removing apparmor entirely.  Apparmor doesn't seem to be causing the problem.

I have done all this first on a fresh install of Ubuntu 20.04 on a digitalocean droplet, and then on a fresh Debian 10 on another droplet.  Same issue on both.

Any ideas what is going on?  I can't figure it out.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by transitriders (edited by transitriders 2021-02-09 07:51:14)

  • transitriders
  • Member
  • Offline
  • Registered: 2021-02-08
  • Posts: 2

Re: Can't get slapd to start when TLS is enabled

Okay, I found the problem: it was indeed a permissions issue...and an Apparmor issue.  How to fix on Ubuntu 20.04:

1. Install letsencrypt SSL cert according to the docs, renaming the default iredmail certs and linking the letsencrypt certs, as per the instructions.

2. Edit /etc/ldap/slapd.conf, uncommenting the three lines beginning with TLS... under the "# SSL cert files" heading.  (If I restart OpenLDAP using "service slapd restart" at this point, I get the error:  "Job for slapd.service failed because the control process exited with error code.")

3. Change permissions for letsencrypt certificate parent directories, as per post 5 on this forum topic.

chmod 750 /etc/letsencrypt/{live,archive}
chgrp ssl-cert /etc/letsencrypt/{live,archive}

4.  This is the new part I had to figure out myself.  I had to change the owner of the privkey1.pem in the "/etc/letsencrypt/archive/my.server.tld/" directory to 'ssl-cert' and change the file permissions to 640.

chgrp ssl-cert /etc/letsencrypt/archive/my.server.tld/privkey1.pem
chmod 640 /etc/letsencrypt/archive/my.server.tld/privkey1.pem

5.  But this was still not sufficient to get slapd to run!  In addition, I had to put the slapd apparmor profile into "complain" mode following post 7 in this forum topic.

apt install apparmor-utils
aa-complain /etc/apparmor.d/usr.sbin.slapd

6. Restart slapd 

service slapd restart

and...no error message!  Run ldapwhoami from terminal on my computer with -ZZ to force TLS and...it recognizes me!
_______________

Does anyone know if my solution (#4 above) is bad security practice?  Will the permission/ownership changes to privkey1.pem be wiped when the cert is renewed?  (I suppose I'll add a renew-hook just in case.)  Why does slapd require these permissions that other services don't?

Anyway,  if this is what working in IT is like, I'm glad I don't do it 9-5!!!

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Can't get slapd to start when TLS is enabled

The key is AppArmor.

transitriders wrote:

Will the permission/ownership changes to privkey1.pem be wiped when the cert is renewed?

I think the owner/group/permission will be changed after renewed, you'd better pay some attention to this when it's time to renew the cert, or you can renew it manually for testing.