Skip to content

Instantly share code, notes, and snippets.

@ergoz
Forked from plembo/LetsEncrypt389DS.md
Created October 7, 2024 13:40
Show Gist options
  • Save ergoz/d332e8302c620f278bb086460445bb01 to your computer and use it in GitHub Desktop.
Save ergoz/d332e8302c620f278bb086460445bb01 to your computer and use it in GitHub Desktop.
Let's Encrypt 389 Directory Server

Let's Encrypt the 389 Directory Server

The following procedure is for installing a wildcard cert and key paid from Let's Encrypt for the 389 Directory Server.

  1. Use the 389 Console gui to create a certificate database db and to import the Let's Encrypt certificate chain cert (which will be in PEM format). See secs. 9.1.3.2 and 9.3.3.2 of the Red Hat Directory Server Administration Guide for details.

  2. Create a pin.txt file under /etc/dirsrv/slapd-[instance name]:

Internal (Software) Token:agoodpassword
  1. Convert your key and cert obtained from Let's Encrypt to PKCS12 format:
openssl pkcs12 -export -out myhost.pfx -inkey myhost.key -in myhost.crt -certfile letsencrypt-chain.crt
  1. Import myhost.pfx into the directory server:
pk12util -i myhost.pfx -d /etc/dirsrv/slapd-myserver -W agoodpassword
  1. Verify everything is installed:
certutil -L -d /etc/dirsrv/slapd-myserver
certutil -K -d /etc/dirsrv/slapd-myserver
  1. Enable TLS/SSL in the 389 Console gui following the instructions found in sec. 9.4.1.2 of the Red Hat Directory Administration Guide.

  2. Test connecting to the directory over TLS/SSL:

ldapsearch -LLL -v -x -H ldaps://ldap.example.com:636 -b "dc=example,dc=com" -s base "(objectclass=*)"

ldap_initialize( ldaps://ldap.example.com:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment