





















We have an internal OpenLDAP server on ldap.example.com (the actual domain name is obviously different) which uses LDAPS and/or STARTTLS. To maintain a certificate for that server we use Caddy to host a simple phonebook-type UI on https://ldap.example.com. Caddy gets a certificate for ldap.example.com from our internal ACME-based CA and keeps it up to date. There is a systemd path unit that watches the Caddy certificate directory for ldap.example.com, and if the certificate file changes, it (and its associated private key and intermediate certificate) are copied to the OpenLDAP server and the OpenLDAP server is restarted.
This approach would be reasonably easy to generalise and would also work with CertBot or similar tools instead of Caddy. (We have Caddy on the machine, anyway, because of other things, so having it do a little extra work is no problem.)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。