我在LDAP服务器上安装了Let's Encrypt证书 .
这是我在/etc/openldap/slapd.conf中的配置:(不使用新的slapd.d DIT)
TLSCACertificateFile /etc/letsencrypt/archive/slap01.domain.tld/fullchain2.pem
TLSCertificateFile /etc/letsencrypt/archive/slap01.domain.tld/cert2.pem
TLSCertificateKeyFile /etc/letsencrypt/archive/slap01.domain.tld/privkey2.pem
我使用证书的直接链接,因为我在本网站的另一篇文章中读到openLDAP与/etc/letsencrypt/live/slap01.domain.tld中的sym-links有问题
尝试发出ldapsearch结果:
Jan 1 20:39:15 slap01 slapd[31369]: conn=1000 fd=13 ACCEPT from IP=xx.xx.xx.xx:37502 (IP=0.0.0.0:636)
Jan 1 20:39:15 slap01 slapd[31369]: conn=1000 fd=13 closed (TLS negotiation failure)
但考虑到客户端的调试输出,这可能是客户端问题:
ldap_url_parse_ext(ldaps://slap01.domain.tld)
ldap_create
ldap_url_parse_ext(ldaps://slap01.domain.tld:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP slap01.domain.tld:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.xx.xx.xx:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument
TLS: error: connect - force handshake failure: errno 22 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
但我的问题,以及我最想要的答案是,似乎我的LDAP服务器没有提供SSL证书:
openssl s_client -connect slap01.domain.tld:636
CONNECTED(00000003)
140381523306312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
如何让我的LDAP服务器提供有效的Let's Encrypt SSL证书?