Applications

Toggle Sidebar
News Feed
  • thans Nick.

    Yes, there's no other error message. Just changing the certficates in my slapd.conf cause this error :



    I was able to create my keyfile using , as you said, the rsa option

  • Arnaud Forster wrote:

    Ok, so I'm gonna try to copy an rename it.

    Here was the error message I get when trying to convert my key file :

    [root@master certificate_manager.d]# openssl x509 -text -outform der -in GFBienne.key -out GFBienne-key.pem
    unable to load certificate
    140612166498192:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    [root@master certificate_manager.d]# ls -l
    Use "rsa" and not "x509" for keys.

    You'd have to find out why slapd failed to start. There is no clue in the message you posted. Did you remember to make the user ldap a member of ssl-certs?

  • O, I was able to convert / rename my certificates but my ldap server refuse them ...

    ...


    Process: 9003 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
    Process: 8975 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)
    Main PID: 30479 (code=exited, status=0/SUCCESS)

    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Configuration directory '/etc/openldap/slapd.d' does not exist.
    avril 06 11:40:33 master.gfb.lan prestart.sh[8975]: Warning: Usage of a configuration file is obsolete!
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
    avril 06 11:40:33 master.gfb.lan runuser[8979]: pam_unix(runuser:session): session closed for user ldap
    avril 06 11:40:33 master.gfb.lan slapd[9003]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 11 2019 15:35:58) $
    root@build-x86_64-1.orem.clearos.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
    avril 06 11:40:33 master.gfb.lan systemd[1]: slapd.service: control process exited, code=exited status=1

  • Ok, so I'm gonna try to copy an rename it.

    Here was the error message I get when trying to convert my key file :

    [root@master certificate_manager.d]# openssl x509 -text -outform der -in GFBienne.key -out GFBienne-key.pem
    unable to load certificate
    140612166498192:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
    [root@master certificate_manager.d]# ls -l

  • Did slapd give an error? I think you can just rename the certificates.

    Note that if you're using Let's Encrypt certificates you won't want to go through the Import Certificate route as it cannot be automated for every time the Let's Encrypt certificate updates. You'll want to do somethng like rsync them across from the originating server. Then have the receiving sever watch for new certificates being received, move them into place and restart slapd.

  • Bulk Ammo Deals With Free Shipping
  • Hello Nick,
    Yes thanls for that, I found the file ... but nex problem .. it seems slapd use .pem certficates and mine are crt ; intermediate and .key ones. I successfully converte my .cert and my .intermediate to .pem certificates but noway for the .key one.

    I'll look for that .key file to be converted, If I can't, I'll use the CA certificate.

    I come back with the details .
    thanks

  • I am not sure that you need to. Generally, I believe, you can just import the ClearOS CA into the third party apps.

    If you do want to use Let's Encrypt certificates, have a look at the Let's Encrypt howto and adapt one of the cyrus-imap or smtp/postfix methods. The file you need to edit is probably /etc/openldap/slapd.conf where there are three PEM entries. Guessing, but TLSCACertificateFile must point to the CA bundle (/etc/pki/tls/certs/ca-bundle.crt), TLSCertificateFile to your fullchain file and TLSCertificateKeyFile to your key file. When you get it all working and have confirmed it is is working with your third part app, please post back with the details and I'll add it to the howto.

  • Use imported certificate to connect to LDAP Server

    Hello all,
    I imported into my system a wildcard certificate. I installed it and declare it to use with the webconfig console.
    Now, I need to connect to my OpenLDAP server from other applications and I wanted to use my certificate. But, as I can see, my OpenLDAP still use my orginal self-signed certificate.
    Is there a way to change that to make my ldap use my imported certificate ?
    Thanks to all for your help