[SAC] [OSGeo] #2295: Replace ldaps STAR cert with letsencrypt or single cert
OSGeo
trac_osgeo at osgeo.org
Thu Apr 25 21:54:58 PDT 2019
#2295: Replace ldaps STAR cert with letsencrypt or single cert
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: blocker | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------
Comment (by robe):
I went ahead and got a letsencrypt wildcard cert for osgeo using the
command on nginx container
{{{
certbot certonly --manual --preferred-challenges=dns -d *.osgeo.org
}}}
I had to put in a TXT record in osgeo DNS Pair for this
Which gave me a -
{{{
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/osgeo.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/osgeo.org/privkey.pem
Your cert will expire on 2019-07-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
}}}
and then copied the generated files to secure /etc/ssls/certs/osgeo.org
I was hoping I could just edit the slapd.conf restart the slapd service,
as is documented in the wiki - https://wiki.osgeo.org/wiki/SAC:LDAP
But it appears the wiki is out of date, and we no longer use the
slapd.conf and have switched to OLC.
Which is in /etc/ldap/slapd.d/ - cp=config.ldif file
I read I should edit this using ldapmodify or ldapbrowser. I'm hesitant
to go any further lest I screw things up.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2295#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
More information about the Sac
mailing list