1 Topic by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Topic: Letsencrypt and openldap issue

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: FreeBSD 11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I am using Letsencrypt + acme-client for my mail server, everything seems working except openldap.
When replacing existing self cert by Letsencrypt, openldap is unable to start. i also followed instruction in this topic, but still not get it solved.
http://www.iredmail.org/forum/topic1166 … r-tls.html

Here is my openldap with tls section:
TLSCACertificateFile /usr/local/etc/ssl/acme/domain.com/fullchain.pem
TLSCertificateFile /usr/local/etc/ssl/acme/domain.com/cert.pem
TLSCertificateKeyFile /usr/local/etc/ssl/acme/private/privkey.pem

And error as below:

Jul  2 15:44:21 moon slapd[13241]: main: TLS init def ctx failed: -1
Jul  2 15:44:21 moon slapd[13241]: DIGEST-MD5 common mech free
Jul  2 15:44:21 moon slapd[13241]: DIGEST-MD5 common mech free
Jul  2 15:44:21 moon slapd[13241]: slapd stopped.
Jul  2 15:44:21 moon slapd[13241]: connections_destroy: nothing to destroy.

Please advise me how to fix this issue.
Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Letsencrypt and openldap issue

Make sure

*) paths to cert/key are correct.
*) OpenLDAP daemon user/group has permission to read cert/key
*) Try to turn on debug in OpenLDAP to get more details. FYI: http://www.iredmail.org/docs/debug.openldap.html

3 Reply by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: Letsencrypt and openldap issue

ZhangHuangbin wrote:

Make sure

*) paths to cert/key are correct.
*) OpenLDAP daemon user/group has permission to read cert/key
*) Try to turn on debug in OpenLDAP to get more details. FYI: http://www.iredmail.org/docs/debug.openldap.html

Thanks Zhang for your advise.
It's indeed permission issue.

i tried to create separate folder, then copy all certs to this folder and granting ldap:ldap for entire that folder.
Now, i could start slapd daemon without having any issue, mail sending is still normal. That's cool!

The remain thing is that copying the certs from letsencrypt folder to openldap owner location after they are renewed.
i am seeking for simple way to do that, as it's on same system.

smile

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Letsencrypt and openldap issue

Should be fine to use the same cert/key without copying. Just make sure file permission is ok - not just the cert/key, but the parent folders.

5 Reply by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: Letsencrypt and openldap issue

ZhangHuangbin wrote:

Should be fine to use the same cert/key without copying. Just make sure file permission is ok - not just the cert/key, but the parent folders.

This would be great to use cert in one location, here is the existing certs which are generated by acme-client
What should i update to correct this permission issue for ldap and still working normally with other services (dovecot, postfix, nginx).

# ls -alh /usr/local/etc/ssl/acme/
total 32
drwxr-xr-x  4 root  wheel   512B Jul  2 13:59 .
drwxr-xr-x  4 root  wheel   512B Jul  2 10:48 ..
drwxr-xr-x  2 root  wheel   512B Jul  2 13:59 imail.domain.com
drwx------  2 root  wheel   512B Jul  2 13:58 private
#
# ls -alh imail.domain.com/
total 40
drwxr-xr-x  2 root  wheel   512B Jul  2 13:59 .
drwxr-xr-x  4 root  wheel   512B Jul  2 13:59 ..
-r--r--r--  1 root  wheel   2.3K Jul  2 13:59 cert.pem
-r--r--r--  1 root  wheel   1.6K Jul  2 13:59 chain.pem
-r--r--r--  1 root  wheel   3.9K Jul  2 13:59 fullchain.pem
# ls -alh private/
total 24
drwx------  2 root  wheel   512B Jul  2 13:58 .
drwxr-xr-x  4 root  wheel   512B Jul  2 13:59 ..
-r--------  1 root  wheel   3.2K Jul  2 13:58 privkey.pem

Thank you smile

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Letsencrypt and openldap issue

bzero wrote:

# ls -alh /usr/local/etc/ssl/acme/
...
drwx------  2 root  wheel   512B Jul  2 13:58 private


# ls -alh private/
...
-r--------  1 root  wheel   3.2K Jul  2 13:58 privkey.pem

See these 2 lines? only root:wheel can access this directory and file.

7 Reply by bzero (edited by bzero 2017-07-04 00:55:24)

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: Letsencrypt and openldap issue

i couldn't find way to use the same cert directory for all.
ldap requires to own the cert directory. I tested,

# ls -alh
total 32
drwxr-xr-x  4 root  wheel   512B Jul  3 16:49 .
drwxr-xr-x  4 root  wheel   512B Jul  3 16:49 ..
drwxr-xr-x  2 root  wheel   512B Jul  3 16:49 imail.domain.com
drwxrw-rw-  2 root  wheel   512B Jul  3 16:49 private

# ls -alh private/
total 24
drwxrw-rw-  2 root  wheel   512B Jul  3 16:49 .
drwxr-xr-x  4 root  wheel   512B Jul  3 16:49 ..
-r--r--r--  1 root  wheel   3.2K Jul  3 16:49 privkey.pem

Any advise would be appreciated. Thanks!

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Letsencrypt and openldap issue

The goal is making sure all required daemon users  (postfix, dovecot, openldap) have the read permission. I'm not sure your acme-client supports custom permission, but "certbot" program (another LetsEncrypt client) doesn't restrict the directory and cert/key to 0700.