1 Topic by j24 (edited by j24 2016-10-04 13:53:35)

  • j24
  • Member
  • Offline
  • Registered: 2016-10-03
  • Posts: 1

Topic: Patch: apparmor profile for enabling Let's Encrypt certs

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: Ubuntu 14.04.5 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

To be able to install Let's Encrypt certificates with openldap, I suggest the following patch to the offical config:

In file /etc/apparmor.d/usr.sbin.slapd replace:
 
  #include <abstractions/ssl_certs>
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,

with

  #include <abstractions/ssl_keys>

And in file /etc/apparmor.d/abstractions/ssl_keys add row:

  /etc/letsencrypt/** r,

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Patch: apparmor profile for enabling Let's Encrypt certs

Thanks for sharing.

Since OpenLDAP is not accessible from external network, i personally prefer not to use a bought (or letsencrypt) SSL cert to avoid restart/reload service which may cause service interruption (even just for 1 second or few seconds).