The LE root certificate needs to be installed into /etc/openldap/cacerts and c_rehash from the openssl-perl package needs to be executed in that directory.
Implemented in the ansible common role. Currently the complete Let's Encrypt CA certificates would be added. - ISRG Root X1 - Let's Encrypt X3 cross-signed - Let's Encrypt X3 ISRG Root X1 signed Do you really want the cacerts to be deployed to /etc/openldap/cacerts/ or /etc/openldap/certs? I'm asking because the directory /etc/openldap/certs exists at least on git01.ipfire.org but the directory /etc/openldap/cacerts/ does not.
Yes, put them into /etc/openldap/cacerts, please.
Today, I tried to deploy a machine and c_rehash wasn't installed. I didn't think it should be installed as part of the common packages and created an extra task for that. Please review and change it that wasn't a good idea.
I prefer to install the certificates into the Fedora / CentOS ca trust store (/etc/pki/ca-trust/source/anchors/). This way we don't need to configure every application to use the certs below the openldap path. Additionally we don't need to install c_rehash as this will be done by the "update-ca-trust" program.
I can't find an extra task for the c_rehash installation?!
Done