1 (edited by manilaboy1vic 2021-02-16 13:35:04)

Topic: Lets Encrypt with slapd

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2 OPENLDAP edition
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Linux Ubuntu / 5.8.0-43-generic
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Thanks for putting this out there for everyone to use.. This is working pretty great.  I have minimal issues right now.

1: I got SSL certs from Lets Encrypt and everything is fine except for LDAP.  If I enable TLS for LDAP, it will not start.

I created sym links for the Lets Encrypt certs and everything correct in that regard.  The admin page is no longer showing the unsafe error, etc...

If I enable this in /etc/ldap/slapd.conf:

TLSCACertificateFile /etc/ssl/certs/iRedMail.crt
TLSCertificateFile /etc/ssl/certs/iRedMail.crt
TLSCertificateKeyFile /etc/ssl/private/iRedMail.key

I get this error when restarting ldap:

vic@mail:~$ sudo systemctl restart slapd
Job for slapd.service failed because the control process exited with error code.
See "systemctl status slapd.service" and "journalctl -xe" for details.




Feb 15 21:04:52 mail sudo[79793]:      vic : TTY=pts/2 ; PWD=/home/vic ; USER=root ; COMMAND=/usr/bin/systemctl restart slapd
Feb 15 21:04:52 mail sudo[79793]: pam_unix(sudo:session): session opened for user root by vic(uid=0)
Feb 15 21:04:52 mail systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Feb 15 21:04:52 mail slapd[79796]:  * Starting OpenLDAP slapd
Feb 15 21:04:52 mail slapd[79801]: @(#) $OpenLDAP: slapd 2.4.53+dfsg-1ubuntu1.3 (Feb  2 2021 15:37:52) $
                                           Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Feb 15 21:04:52 mail slapd[79801]: DIGEST-MD5 common mech free
Feb 15 21:04:52 mail slapd[79801]: DIGEST-MD5 common mech free
Feb 15 21:04:52 mail slapd[79796]:    ...fail!
Feb 15 21:04:52 mail systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE
Feb 15 21:04:52 mail systemd[1]: slapd.service: Failed with result 'exit-code'.
Feb 15 21:04:52 mail systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Feb 15 21:04:52 mail sudo[79793]: pam_unix(sudo:session): session closed for user root
Feb 15 21:05:01 mail CRON[79804]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 15 21:05:01 mail CRON[79805]: (root) CMD (/bin/bash /usr/local/bin/fail2ban_banned_db unban_db)
Feb 15 21:05:01 mail CRON[79804]: pam_unix(cron:session): session closed for user root





---
Sym links are there.

root@mail:/etc/ssl/certs# ll | grep iRed
lrwxrwxrwx 1 root root     59 Feb 15 20:04 iRedMail.crt -> /etc/letsencrypt/live/mail.domain.net/fullchain.pem
-rw-r--r-- 1 root root   2236 Feb 14 04:08 iRedMail.crt.bak


root@mail:/etc/ssl/private# ll | grep iRed
lrwxrwxrwx 1 root root       57 Feb 15 20:04 iRedMail.key -> /etc/letsencrypt/live/mail.domain.net/privkey.pem

----

Just tested this.. This does work for some reason:

TLSCACertificateFile /etc/ssl/certs/iRedMail.crt.bak
TLSCertificateFile /etc/ssl/certs/iRedMail.crt.bak
TLSCertificateKeyFile /etc/ssl/private/iRedMail.key.bak


TIA

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Lets Encrypt with slapd

What's the owner/group/permission of directories below? Does OpenLDAP daemon user or group have permission to read the cert/key files?

/etc/letsencrypt/live
/etc/letsencrypt/archive

BTW, if you don't need to access openldap from another host, then better not enable SSL/TLS in OpenLDAP to avoid the service restart after cert renewed, local connections are considered as secure.

3 (edited by manilaboy1vic 2021-02-16 14:12:18)

Re: Lets Encrypt with slapd

Hi, here is what I see:

root@mail:/home/vic# ll /etc/letsencrypt/live/
total 16
drw-r--r-- 3 root root 4096 Feb 15 19:59 ./
drwxr-xr-x 9 root root 4096 Feb 15 21:29 ../
drwxr-xr-x 2 root root 4096 Feb 15 19:59 mail.domain.net/
-rw-r--r-- 1 root root  740 Feb 15 19:59 README

root@mail:/home/vic# ll /etc/letsencrypt/archive/
total 12
drw-r--r-- 3 root root 4096 Feb 15 19:59 ./
drwxr-xr-x 9 root root 4096 Feb 15 21:29 ../
drwxr-xr-x 2 root root 4096 Feb 15 19:59 mail.domain.net/

root@mail:/home/vic# ps aux | grep slap
openldap    4034  0.1  0.1 2387292 12776 ?       Ssl  21:36   0:02 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf
root        5267  0.0  0.0  17660   876 pts/0    S+   22:07   0:00 grep --color=auto slap

root@mail:/home/vic# ll /etc/ssl/certs/iRedMail.crt.bak
-rw-r--r-- 1 root root 2236 Feb 14 04:08 /etc/ssl/certs/iRedMail.crt.bak
root@mail:/home/vic# ll /etc/ssl/certs/iRedMail.crt.bak
-rw-r--r-- 1 root root 2236 Feb 14 04:08 /etc/ssl/certs/iRedMail.crt.bak
root@mail:/home/vic# ll /etc/ssl/private/iRedMail.key.bak
-rw-r--r-- 1 root root 3268 Feb 14 04:08 /etc/ssl/private/iRedMail.key.bak
root@mail:/home/vic#


The private key from Lets Encrypt does not have read access for the world or group.. I did change it to test but it made no difference.


root@mail:/etc/letsencrypt/archive/mail.domain.net# ll
total 24
drwxr-xr-x 2 root root 4096 Feb 15 19:59 ./
drw-r--r-- 3 root root 4096 Feb 15 19:59 ../
-rw-r--r-- 1 root root 1862 Feb 15 19:59 cert1.pem
-rw-r--r-- 1 root root 1586 Feb 15 19:59 chain1.pem
-rw-r--r-- 1 root root 3448 Feb 15 19:59 fullchain1.pem
-rw------- 1 root root 1704 Feb 15 19:59 privkey1.pem

4

Re: Lets Encrypt with slapd

ZhangHuangbin wrote:

What's the owner/group/permission of directories below? Does OpenLDAP daemon user or group have permission to read the cert/key files?

/etc/letsencrypt/live
/etc/letsencrypt/archive

BTW, if you don't need to access openldap from another host, then better not enable SSL/TLS in OpenLDAP to avoid the service restart after cert renewed, local connections are considered as secure.


I am actually accessing from another host using Apache Directory Studio.

5

Re: Lets Encrypt with slapd

Check directory owner/group/permission with commands below:

ls -l /etc/letsencrypt/

OpenLDAP daemon user/group should have access to /etc/letsencrypt/live and /etc/letsencrypt/archive.

6

Re: Lets Encrypt with slapd

ZhangHuangbin wrote:

Check directory owner/group/permission with commands below:

ls -l /etc/letsencrypt/

OpenLDAP daemon user/group should have access to /etc/letsencrypt/live and /etc/letsencrypt/archive.


This is what I am showing:

root@mail:~# ls -la /etc/letsencrypt/
total 64
drwxr-xr-x   9 root root  4096 Feb 21 16:59 .
drwxr-xr-x 150 root root 12288 Feb 18 11:20 ..
drwx------   4 root root  4096 Feb 15 19:59 accounts
drw-r--r--   3 root root  4096 Feb 15 19:59 archive
-rw-r--r--   1 root root   121 May 26  2018 cli.ini
drwxr-xr-x   2 root root  4096 Feb 15 19:59 csr
drwx------   2 root root  4096 Feb 15 19:59 keys
drw-r--r--   3 root root  4096 Feb 15 19:59 live
-rw-r--r--   1 root root   721 Feb 16 13:48 options-ssl-nginx.conf
drwxr-xr-x   2 root root  4096 Feb 15 19:59 renewal
drwxr-xr-x   5 root root  4096 Feb 15 19:50 renewal-hooks
-rw-r--r--   1 root root   424 Feb 16 13:48 ssl-dhparams.pem
-rw-r--r--   1 root root    64 Feb 16 13:48 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--   1 root root    64 Feb 16 13:48 .updated-ssl-dhparams-pem-digest.txt

7

Re: Lets Encrypt with slapd

Does it work after setting permission with these commands?

chmod 0744 /etc/letsencrypt/{live,archive}