I‘m afraid you have to use a new OpenLDAP version to use new certificate algorithms.
Kind regards, Ulrich Windl
From: jehan Procaccia jehan.procaccia@imtbs-tsp.eu Sent: Tuesday, December 10, 2024 11:28 AM To: openldap-technical@openldap.org Subject: [EXT] ECDSA certs TLS init failed for slapd
Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa-certificates-by-default-and-other-...)
unfortunatly , slapd doesnt like those certificates :
slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servemailto:mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/serve slapd[641]: main: TLS init def ctx failed: -1 slapd[641]: slapd stopped.
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .