[solved] Enable certificate renewal-hook in nethserver

For using SSL you need the letsencrypt one as it needs to be a valid cert in most cases.
You may disable strong auth on the remote Nethserver to use it without SSL, see the wiki

You can get a letsencrypt cert for both bdc.ourdomain.com and ad.ourdomain.com.

Yes, thats true, I can add them in letsencrypt cert. What about the query to the backupdomain controller. So you think that the needed certificate will be the one on which is installed on the bdc as the query will be against bdc this time?

As for the query directly on ad.domain.com I had successfully configured the following:

Hostname: ad.ourdomain.com
User DN: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Bind Credentials: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Base-DN: dc=ad,dc=ourdomain,dc=com

Now needing to configure query to the remote neth bdc, what do you think, I have to change for doing the same query but this time to the bdc.ourdomain.com? Just the hostname and the user? Or will also the dc have to change?

How did you realize this?

Yes, I think you need to point to the other DC, it’s not enough to point to the domain.

With backupdomain controller I mean, that I have setup a remote nethserver and joined it to the domain of the initial one holding the nsdc container. The router cannot reach nsdc container, thus it has to do queries on the bdc. For bdc I created a user ldapquery in ad and configured it in its user settings. Now I have to change the router that it queries ldap against bdc.ourdomain.com and not anymore directly against the nsdc container.

So that means I would have to:

Hostname: bdc.ourdomain.com
User DN: cn=ldapquery,ou=User,dc=ad,dc=ourdomain,dc=com
Bind Credentials: cn=ldapservice,ou=User,dc=ad or bdc,dc=ourdomain,dc=com
Base-DN: dc=ad,dc=ourdomain,dc=com ?

Where I am not sure are the dc, but I think they stay the same, right?

Sorry, that’s not possible this way.
For having a another DC answering to queries see the wiki.

Just tried. opnsense: LDAP bind error: Can’t contact LDAP server :frowning:

I thought, that this server will answer queries, but it does not ? For what did I have to create the ldapquery user? I thought reading in the documentation that it is used for ex. for nextcloud, which is installed on bdc and works fine with ad users btw. Well I’ll read the wiki then and see if there is a solution. Or I will have to set static routes, so that the query can go to the nsdc through ipsec site2site vpn.

Mhm, as it is an experimental thing described on the wiki, and we will soon go in production, I guess it is a nogo. As you explained to me, bdc will not answer to dns queries, so my only way is to establish the correct routes so that the router will be able to reach the nsdc container to query for? And that also means, that I will need the selfsigned certificate on the router that nsdc runs, right?

bdc is kind of a misleading term.
With Nethserver you have a DC providing the container answering LDAP queries. The remote NethServer (the one joined to the AD) may need credentials to connect to specific apps. Nextcloud works as it uses the local or remote join to get the users.

The device doing the join (remote Nethserver) needs to reach the nsdc container.

No, you need either valid certs like letsencrypt or disable strong auth.

The remote nethserver does reach the nsdc container, thats no problem, but the router which shall be able to query for users does not yet. Thats what I meant why I will have to establish connectivity for the router too, so it will be able to reach nsdc then.

The router refuses to do other than strong auth. But if I install the selfsigned certificate from nsdc on the router, would that not be enough? I really hope that can work, as else I will have other trouble, because only the remote nethserver which serves nextcloud and mailserver has letsencrypt certificiate. That would add complexity as I would have to distribute certs from remote neth to the local one and nsdc…

So if the remote neth is not really a bdc (as I had planned), may I ask - do you know, if there are plans developping, that a second nethserver can be acting officially as backup domain controller with replication and everything? I am asking, as I dont want that one day we cannot access our network anymore because the pdc role nethserver could have gone down? DC is such an crucial service, that I would like to have a backup domain controller. I initially thought, that a second nethserver joined will be able to act as read only dc, but apparentley this is not the case?

I think the router idea is not good as it’s not really a backup. The router is just joined to the Neth AD so if the Neth AD fails the router is no real backup.

You may use Hotsync to get a slave AD server.

As regards planning, for Neth 8 the discussion is open.

I remember that the second DC approach worked recently but I can’t find the thread… :upside_down_face:

Right, it’s not the case as the remote Nethserver is no DC.

No,no. The router does need to query for something else. It will act as VPN server with 2fa. So it will need to query users against AD, as I dont wont to manage users twice.

Thanks for the links and explanations which I’ll study carefully. I also will have a look @hotsync as intermediate solution, still hoping that one day there will be the possibility to create a real backup domain controller. :slight_smile:

Last question on the certificate I asked above. If I copy the selfsigned certificate used by nsdc on to the router why should that not work? Are you sure, that it will need to be an letsencrypt one?

It needs to be a valid one. And letsencrypt is an easy way to get one. Maybe you can allow the Neth cert on your router but easiest way is to get letsencrypt and copy it to the NSDC.
Another way may be to create a CA on the router, and create a cert for Neth.

Did you try this?

What is valid? If it contains the domain, hostname and so on, and its installed on the router isnt it valid then? I will think about the three possibilities, as you mentioned the routers CA is there, so I could go this way. But you are probably right about letsencrypt, I admit that. I will just have to find out how to copy it to nsdc but that should be possible, as I already have found a way to copy it automatically to opnsense router once it is renewed.

But before all that I will have to fix my routing issues so that the router can reach nsdc and then I’ll decide what certificate I will use. Thanks to you and also to giacomo for your replies, which helped me understand the situation. :smiley:

Validated by a trusted CA:

1 Like

Yes, I understand that thanks :slight_smile:

I wanted to just point out, that theoretically the router just wants to only do encrypted queries, and if a “valid” certificate is installed on it, then it should do the trick. But I get your point, so I probably will just modify the script that is fired everytime the letsencrypt certificate is renewed and copies and installs the certificate to the router to additionally copy it to nsdc. :slight_smile:

But I’ll have to do my homework first, and find out how to modify routing as prerequisite to accomplish the above.

Thanks again. Really appreciate your help :+1:


I have a final follow up question. I want to use the same script, which copies my certificates to opnsense to copy them also to nsdc on the dc nethserver. Can please any of you assist me? As Giacomo had described the letsencrypt files are /etc/letsencrypt/live//{fullchain.pem,privkey.pem} right?

The nsdc container uses /var/lib/machines/nsdc/var/lib/samba/private/tls/{key.pem,cert.pem} is that correct?

So can I just copy privkey.pem -> key.pem and fullchain.pem ->cert.pem? And finally I’ll have to systemctl -M nsdc restart samba for a samba restart on nsdc. Will that do it? Or am I missing something?

Yes, that should do it.

I have the same problem with the OPNsense and nethserver AD, do you find a solution

Yes, it works here. My findings were the following:
I was not able to do it with selfsigned certificate, thus nethserver ad nsdc container needs to be configured with a valid certificate with ad.yourdomain.com in it. So I use letsencrypt certificate. Opnsense needs to be able to ping ad.yourdomain.com. The opnsense query needs to be encrypted (port 636). And the base dn must be configured accordingly. For copying the certificate to opnsense I found a script. See comments of giacomo on how to implement it. I basically have made a certificate for sshing from nethserver holding the letsencrypt certificate to opnsense without password, then configured that certificates and this php script are copied (scp) to opnsense, then invoked the php script (also via ssh), and then deleted the script and the copied certificates from opnsense - everytime there is a new certificate, the above happens automatically. To trigger a copy everytime the certificate is renewed see giacomos post in this thread. Once the certificate is in place in opnsense and also in nsdc ad container, the only remaining thing is to get userdn, bind credentials and base-dn right depending on your domain setup. I had trouble understanding cn and ou. Once I got them right, everything worked as expected. For example when you edit your domain with rsat tools from within a windows client, and you create an ou MyUsers, thats ou= but the standard container users is cn=. The same goes with MyComputers =ou but standard container Computers =cn.

In my case, I always got an error message wrong credentials or unknown user in opnsense in the log located here in opnsense (sorry, but I have it in german): System/Protokolldateien/Allgemein, until I figured out, that while my normal domain users were transfered in ou=MyUsers, the user, which I created for ldapqueries remained in the standard “container” Users.
Thus the correct User DN in my case is:
cn=ldapusername, cn=Users (and not ou=MyUsers),dc=ad,dc=yourdomain,dc=com

I hope that helps.


Hi Elleni,

Nicely explained findings.


Today I realized our OPNsense server stopped authenticating our roadwarrior users. The reason is Let’s encrypt changing its root CA certificate while our OPNsense router was not updated for a while. Manually executing the php script which updates certificate as described in this thread revealed that the script refused to update the certificate on the OPNsense router with message:
The certificate issuer does not match the certificate.
O=Let’s Encrypt, CN=R3, C=US,

I thought the solution would be updating the OPNsense router but it wasn’t :slight_smile:

I had to modify the script and change the CN=Let’s Encrypt Authority X3 to CN=R3 then the script works fine again, but I discovered that I could not renew the letsencrypt cert on nethserver, so I opened a separate thread after discovering that I cannot renew our letsencrypt certificate on our nethserver.