[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and LetsEncrypt certificates: does a cert renewal necessitate a server restart?

So as far as new filenames goes, I have been using https://github.com/Neilpang/acme.sh for awhile for other projects and it creates symlinks to the current cert, so this may be a more direct approach to dealing with this.

On Sep 10, 2019, at 8:15 AM, Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca> wrote:

* Michael Ströder <michael@stroeder.com> [20190910 11:07]:
On 9/10/19 3:34 PM, Howard Chu wrote:
Olivier wrote:
Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca> writes:

As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates.
Is there a way to make slapd aware of a cert renewal (they happen every 90
days) without restarting it, ie, with minimal service interruption?

I *do* restart slapd after I installed the new Let's Encrypt

Use ldapmodify to set the new cert in cn=config. No restarts needed.

This requires to use new file names for cert and key files, doesn't it?

This is what I figure too!
Some LetsEncrypt pre- and post- hooks should do the trick though.
I'll see what I can come up with.

Thanks for the help, much appreciated!

Ciao, Michael.