Here's how to set up LetsEncrypt certificates on Ubuntu 22.04 for use in OpenLDAP.

Requirements

• OpenLDAP/slapd installed without ssl certs in place (see Installing OpenLDAP (2.5 and later).)
• LetsEncrypt installed (certs in /etc/letsencrypt structure). To get started with LetsEncrypt, go here.

Set the correct access permissions for the LetsEncrypt directories and files in two steps.

1. setfacl This is to set ownership/permission (which could also be done with chown/chmod as well.)

sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live
sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive

2. apparmor Ubuntu's version of SELinux. If you aren't running it, you can skip this.

Create /etc/apparmor.d/local/usr.sbin.slapd with the following content.

/etc/letsencrypt/live/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here r,
/etc/letsencrypt/archive/your.domain.here/** r,

3. Restart apparmor.

sudo service apparmor restart

4. These TLS settings may be necessary to add, or you may already have set them. Add the following lines to /root/add_ssl.ldif:

dn: cn=config   
changetype: modify   
add: olcTLSCipherSuite   
olcTLSCipherSuite: NORMAL   
-   
add: olcTLSVerifyClient   
olcTLSVerifyClient: never   
-   
add: olcTLSProtocolMin   
olcTLSProtocolMin: 3.1

5. If you run slapd.conf, then modify your slapd.conf file in /opt/symas/etc/openldap with these changes:

TLSVerifyClient never   
TLSProtocolMin 3.1   
TLSCipherSuite NORMAL

6. If you need them, then add them with:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_ssl_options.ldif

7. Add the LetsEncrypt certificates to your openldap by adding the following information to /etc/add_letsencrypt_ssl.ldif:

dn: cn=config   
changetype: modify   
add: olcTLSCACertificateFile   
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt   
-   
add: olcTLSCertificateKeyFile   
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem   
-   
add: olcTLSCertificateFile   
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem

8. and run this to import it:

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_letsencrypt_ssl.ldif

9. If you haven't already enabled ldaps in /etc/default/slapd do that now:

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

10. Restart openldap:

sudo service slapd restart

Reload Certificates When Renewed

1. Put this in the /etc/ldap directory, so we can re-use it when the LetsEncrypt certificate is renewed:

# /etc/ldap/add_letsencrypt_ssl.ldif    
dn: cn=config    
changetype: modify    
replace: olcTLSCertificateKeyFile    
olcTLSCertificateKeyFile: /etc/letsencrypt/live/your.domain.here/privkey.pem    
-    
replace: olcTLSCertificateFile    
olcTLSCertificateFile: /etc/letsencrypt/live/your.domain.here/fullchain.pem

2. Then put this in /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd. The name of the script can be whatever you want.

#!/bin/sh    
do    
       if [ "$RENEWED_LINEAGE" = your.domain.here ]    
       then    
               ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/add_letsencrypt_ssl.ldif    
       fi    
done

3. Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload_le_certs_in_slapd

slapd should now auto-reload the certs after the certificates have been renewed, but not actually need to restart the daemon itself. So no noticeable downtime.