Opened 6 years ago

Closed 6 years ago

#2295 closed task (fixed)

Replace old secure with new secure

Reported by: robe Owned by: sac@…
Priority: blocker Milestone: Sysadmin Contract 2019-I
Component: SysAdmin Keywords:


Right now LDAP server ldaps:// is using the star cert which is about to expire as running

openssl s_client -connect

confirms. This will expire 5/1/2019 so needs to be replace.

Change History (10)

comment:1 by robe, 6 years ago

I went ahead and got a letsencrypt wildcard cert for osgeo using the command on nginx container

certbot certonly --manual --preferred-challenges=dns -d *

I had to put in a TXT record in osgeo DNS Pair for this

Which gave me a -

- Congratulations! Your certificate and chain have been saved at:
  Your key file has been saved at:
  Your cert will expire on 2019-07-25. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:
  Donating to EFF:          

and then copied the generated files to secure /etc/ssls/certs/

I was hoping I could just edit the slapd.conf restart the slapd service, as is documented in the wiki -

But it appears the wiki is out of date, and we no longer use the slapd.conf and have switched to OLC. Which is in /etc/ldap/slapd.d/ - cp=config.ldif file

I read I should edit this using ldapmodify or ldapbrowser. I'm hesitant to go any further lest I screw things up.

comment:2 by robe, 6 years ago

I got as far as creating an ssl.ldif that has this in it:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile:  /etc/ssl/certs/
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/
replace: olcTLSCertificateFile
olcTLSCertificateFile:  /etc/ssl/certs/

And then trying to install with this (note I'm doing this on replica of secure, not on secure directly yet)

ldapmodify  -W -D "cn=Manager,dc=osgeo,dc=org" -H ldaps:// -f ssl.ldif

and it prompted me with a password which I found in the root/access list for phpldap.

But I got this error:

modifying entry "cn=config" ldap_modify: Insufficient access (50)

If I type in the wrong password I do get a invalid password, so I have the right password for this account, but this one appears to not have enough privilege to edit the configs

comment:3 by robe, 6 years ago

I tried tricking the system by sym-linking the letsencrypt cert files to the old names. That did not work on the old-secure container so I didn't bother with the actual secure.

Sooo I've moved on to plan D - which was the eventual direction of scraping the old ldap and replacing with a new LDAP.

I have a container on osgeo7 called new-secure - which has 636 open to OSUOSL domain and LXD subdomain. I'm going to transcribe the rest of the whitelists to it once I've troubleshooted some things and tested on some other things.

The new ldap is running Debian 9 and using letsencrypt wildcard cert. Took a lot of fumbling to figure out how to get this working and I documented my steps in the gitea/sac/osgeo7/wiki. I also restored the old ldap users database, but not the config. config I rebuilt from scratch since trying to use the old I couldn't do an ldapmodify.

I tested accessing it from VM (which is fairly new), the nextcloud container (swapping out old ldap with new ldap) and both worked:

Here is a test

ldapsearch -x "uid=robe" -b "dc=osgeo,dc=org"  -H ldaps://

Which shows my details.

However this did not work on current secure or osgeo6 (I assume it will be an issue with all our old servers) -- I think just missing an intermediary cert for le, because when I run:

ldapsearch -d1 -x "uid=robe" -b "dc=osgeo,dc=org"  -H ldaps:// #d1 for debug details

on secure gives this:

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

If I swap out the letsencrypt on ldap2 with the old ssl, secure can query it. So it's definitely the cert and not any firewall issue.

I was disappointed this did not work out of the box on osgeo6 and gave the same notice

ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

But it could be we've been copying the cert authorities across all the servers and they are just missing the newer ones.

Anyway hoping it's simple as just copying newer certs as this describes:

Last edited 6 years ago by robe (previous) (diff)

comment:4 by robe, 6 years ago

Tested on and that one works too.

I tried on and it worked with and not

If I edit /etc/ldap/ldap.conf

Taking out the old star cert and replacing with the packaged certificate bundle, then it works on her too.

#TLS_CACERT /etc/ssl/certs/  #this file you need to copy from osgeo6 as well
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

I guess with the newer servers I had set up , I never bothered changing the default TLS_CACERT since it seemed to work without the change so that might be why all the newer ones I setup work.

I just tried on old-adhoc and works too if I change the TLS_CACERT entry. There is a similar change I think I need to make possibly in the nss files for login will test that next.

Version 0, edited 6 years ago by robe (next)

comment:5 by robe, 6 years ago

okay on old-adhoc (and I'm guessing I got to fix all the servers even the new ones I created (as this was in my setup template). I had to do a similar change in /etc/nslcd.conf

as it hadth star certbundle instead of the shipped cert file

#tls_cacertfile /etc/ssl/certs/
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

Changing the file is not sufficient. The services need to be restarted - though I ended just rebooting the container, so have to outline which services need restarting.

comment:6 by robe, 6 years ago

Summary: Replace ldaps STAR cert with letsencrypt or single certReplace old secure with new secure

Changing ticket title since I plan to swap out old with new secure after I have remigrated the ldap user database.

comment:7 by robe, 6 years ago

Looks like doing

service nslcd restart  #LDAP connection daemon

Is sufficient to allow login access using new ssh key (after /etc/nslcd.conf is changed to use the OS packaged cert bundle)

comment:8 by robe, 6 years ago

Okay I hope i didn't miss any. I had to change the following servers to use the OS included cert bundle (needed for cert root authentication) and told jef to change the QGIS ones in same fashion. Without this change we can never use anything but the cert. The OS packaged bundle works for both the existing cert (expiring May 1) and the new Letsencrypt cert.

Change was as follows: on /etc/ldap/ldap.conf

#TLS_CACERT /etc/ssl/certs/  #this file you need to copy from osgeo6 as well
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

on /etc/nslcd.conf

#tls_cacertfile /etc/ssl/certs/
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

followed by

service nslcd restart

Done to:

all the containers on osgeo7 that use ldap
Servers - (this has bee migrated but it's still on and need to check if anything left) #note this will hopefully be defunct soon once I have webdav onnew container #this sites now on old-projects on osgeo7, dut did this just in case mssed anything #most stuff already migrated  (and on old-web container)

comment:9 by robe, 6 years ago

I have done a final migration of the user database and shut down the slapd on

I have brought up the new one with ip

I expect people to have log in issues until the changes propagate, but I'd rather that than the old database being written to.

comment:10 by robe, 6 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.