Adjust `slapd` to use Lets Encrypt certs

DataONEorg / cn-buildout

cn-buildout migrated from SVN

0 stars 1 forks source link

Adjust `slapd` to use Lets Encrypt certs #1

Open datadavev opened 2 years ago

datadavev commented 2 years ago

slapd is configured to use server certificates signed by the DataONE CA. This was necessary back in the day because slapd does not work with wild card certificates.

Action: Edit /etc/ldap/slapd.conf, example for sandbox:

TLSCACertificateFile     /etc/letsencrypt/live/cn-sandbox.test.dataone.org/fullchain.pem
TLSCertificateFile       /etc/letsencrypt/live/cn-sandbox.test.dataone.org/cert.pem
TLSCertificateKeyFile    /etc/letsencrypt/live/cn-sandbox.test.dataone.org/privkey.pem

datadavev commented 2 years ago

This change was implemented on cn-sandbox 2021-10-26 as the DataONE signed certificate had expired. After editing slapd.conf, slapd was restarted and normal operations resumed.

Stage and production are not yet done.

taojing2002 commented 2 years ago

I reconfigured cn-stage-ucsb/orc-1 and restart ldap server. It seems working.

We may need to put the production cns into read-only mode to make changes.

The code in cn-buildout needs to be adjusted as well.