Hi,
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
thanks, jf
Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca writes:
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
I *do* restart slapd after I installed the new Let's Encrypt certificate.
I doubt there are any other way to make LDAp server aware of the certificate change. And this is a 20 seconds interruption, nothing worth mentioning (or you are a big organization, then you have redundant LDAP servers and you would upgrade one at a time so it should be transparent to your users).
Best regards,
Olivier
thanks, jf
Olivier wrote:
Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca writes:
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
I *do* restart slapd after I installed the new Let's Encrypt certificate.
Use ldapmodify to set the new cert in cn=config. No restarts needed.
I doubt there are any other way to make LDAp server aware of the certificate change. And this is a 20 seconds interruption, nothing worth mentioning (or you are a big organization, then you have redundant LDAP servers and you would upgrade one at a time so it should be transparent to your users).
Best regards,
Olivier
thanks, jf
On 9/10/19 3:34 PM, Howard Chu wrote:
Olivier wrote:
Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca writes:
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
I *do* restart slapd after I installed the new Let's Encrypt certificate.
Use ldapmodify to set the new cert in cn=config. No restarts needed.
Nitpicking: This requires to use new file names for cert and key files, doesn't it?
Ciao, Michael.
* Michael Ströder michael@stroeder.com [20190910 11:07]:
On 9/10/19 3:34 PM, Howard Chu wrote:
Olivier wrote:
Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca writes:
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
I *do* restart slapd after I installed the new Let's Encrypt certificate.
Use ldapmodify to set the new cert in cn=config. No restarts needed.
Nitpicking: This requires to use new file names for cert and key files, doesn't it?
This is what I figure too! Some LetsEncrypt pre- and post- hooks should do the trick though. I'll see what I can come up with.
Thanks for the help, much appreciated! jf
Ciao, Michael.
So as far as new filenames goes, I have been using https://github.com/Neilpang/acme.sh https://github.com/Neilpang/acme.sh for awhile for other projects and it creates symlinks to the current cert, so this may be a more direct approach to dealing with this.
On Sep 10, 2019, at 8:15 AM, Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca wrote:
- Michael Ströder michael@stroeder.com [20190910 11:07]:
On 9/10/19 3:34 PM, Howard Chu wrote:
Olivier wrote:
Jean-Francois Malouin Jean-Francois.Malouin@bic.mni.mcgill.ca writes:
As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates. Is there a way to make slapd aware of a cert renewal (they happen every 90 days) without restarting it, ie, with minimal service interruption?
I *do* restart slapd after I installed the new Let's Encrypt certificate.
Use ldapmodify to set the new cert in cn=config. No restarts needed.
Nitpicking: This requires to use new file names for cert and key files, doesn't it?
This is what I figure too! Some LetsEncrypt pre- and post- hooks should do the trick though. I'll see what I can come up with.
Thanks for the help, much appreciated! jf
Ciao, Michael.
--On Tuesday, September 10, 2019 6:07 PM +0200 Michael Ströder michael@stroeder.com wrote:
Use ldapmodify to set the new cert in cn=config. No restarts needed.
Nitpicking: This requires to use new file names for cert and key files, doesn't it?
I'd expect a no-op should work just fine. I.e., do a mod/replace with the same value.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Howard Chu -
Jean-Francois Malouin -
Michael Ströder -
Neal Lawson -
Olivier -
Quanah Gibson-Mount