Every few years we have to renew SSL certificates. And there is always something which can go wrong. So I decided to reproduce exact steps here so that Google can find it for next unfortunate soul who has same problem.
Let's examine old LDAP configuration:
deenes:/etc/ldap/slapd.d# grep ssl cn\=config.ldif olcTLSCACertificateFile: /etc/ssl/certs/chain-101-mudrac.ffzg.hr.pem olcTLSCertificateFile: /etc/ssl/certs/cert-chain-101-mudrac.ffzg.hr.pem olcTLSCertificateKeyFile: /etc/ssl/private/mudrac.ffzg.hr.gnutls.keyWe need to convert OpenSSL key into format which GnuTLS understands:
deenes:/etc/ssl/private# certtool -k < star_ffzg_hr.key > /tmp/star_ffzg_hr.gnutls.keyThan we need to create certificate which includes our certificate and required chain in same file:
deenes:/etc/ldap/slapd.d# cat /etc/ssl/certs/star_ffzg_hr.crt /etc/ssl/certs/DigiCertCA.crt > /etc/ssl/certs/chain-star_ffzg_hr.crtAll is not over yet. OpenLDAP doesn't run under root priviledges, so we have to make sure that it's user is in ssl-cert group and that our certificates have correct permissions:
deenes:/etc/ldap/slapd.d# id openldap uid=109(openldap) gid=112(openldap) groups=112(openldap),104(ssl-cert) deenes:/etc/ldap/slapd.d# chgrp ssl-cert \ /etc/ssl/certs/DigiCertCA.crt \ /etc/ssl/certs/star_ffzg_hr.crt \ /etc/ssl/certs/chain-star_ffzg_hr.crt \ /etc/ssl/private/star_ffzg_hr.gnutls.key deenes:/etc/ldap/slapd.d# chmod 440 \ /etc/ssl/certs/DigiCertCA.crt \ /etc/ssl/certs/star_ffzg_hr.crt \ /etc/ssl/certs/chain-star_ffzg_hr.crt \ /etc/ssl/private/star_ffzg_hr.gnutls.key deenes:/etc/ldap/slapd.d# ls -al \ /etc/ssl/certs/DigiCertCA.crt \ /etc/ssl/certs/star_ffzg_hr.crt \ /etc/ssl/certs/chain-star_ffzg_hr.crt \ /etc/ssl/private/star_ffzg_hr.gnutls.key -r--r----- 1 root ssl-cert 3764 Jan 19 09:45 /etc/ssl/certs/chain-star_ffzg_hr.crt -r--r----- 1 root ssl-cert 1818 Jan 17 16:13 /etc/ssl/certs/DigiCertCA.crt -r--r----- 1 root ssl-cert 1946 Jan 17 16:13 /etc/ssl/certs/star_ffzg_hr.crt -r--r----- 1 root ssl-cert 5558 Jan 19 09:23 /etc/ssl/private/star_ffzg_hr.gnutls.keyFinally, we can modify LDAP configuration to use new files:
deenes:/etc/ldap/slapd.d# grep ssl cn\=config.ldif olcTLSCACertificateFile: /etc/ssl/certs/DigiCertCA.crt olcTLSCertificateFile: /etc/ssl/certs/chain-star_ffzg_hr.crt olcTLSCertificateKeyFile: /etc/ssl/private/star_ffzg_hr.gnutls.keyWe are done, restart slapd and enjoy your new certificates!