[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd and LetsEncrypt certificates: does a cert renewal necessitate a server restart?
Olivier wrote:
> Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca> writes:
>
>> As the subject say, I'm contemplating the use of LetsEncrypt TLS certificates.
>> Is there a way to make slapd aware of a cert renewal (they happen every 90
>> days) without restarting it, ie, with minimal service interruption?
>
> I *do* restart slapd after I installed the new Let's Encrypt
> certificate.
Use ldapmodify to set the new cert in cn=config. No restarts needed.
>
> I doubt there are any other way to make LDAp server aware of the
> certificate change. And this is a 20 seconds interruption, nothing worth
> mentioning (or you are a big organization, then you have redundant LDAP
> servers and you would upgrade one at a time so it should be transparent
> to your users).
>
> Best regards,
>
> Olivier
>
>>
>> thanks,
>> jf
>>
>>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/