Normalize and autorestart ldapcivi service
Gitlab was not accepting logins. (Discussion on Mattermost.) It would display this error:
Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed".
I confirmed that the live
ldaps service advertised an old/expired certificate -- even while the certificate on disk looked current. Restarting the service brought it back online. LetsEncrypt periodically updates certs, so I strongly suspect the problem is that the
ldapcivi process doesn't automatically recognize the new certs.
In debugging, it appeared that the
ldapcivi process was running as root and launched via tmux. I couldn't figure out how to access the tmux session, so I killed the process and started a new one via
# This is an example systemd service which deploys # ldapcivi. # # Pre-req: Install compatible version of nodejs # # To use it: # # 1. Copy this template, e.g. `cp examples/ldapcivi.service /etc/systemd/system/` # 2. Edit the file new file. Change values like "WorkingDirectory", "User", "Group". # 3. Load the new service (`systemctl daemon-reload`) # 4. Start the new service for immediate use (`systemctl start ldapcivi`) # 5. Enable the new service to start on reboot (`systemctl enable ldapcivi`) [Unit] Description=ldapcivi After=syslog.target After=network.target [Service] Type=simple PermissionsStartOnly=true WorkingDirectory=/opt/ldapciviauth ExecStart=/usr/bin/node server.js civicrmorg TimeoutSec=300 PrivateTmp=true User=aegir Group=aegir [Install] WantedBy=multi-user.target
At the moment, the above service file is available in
- Put the file somewhere more durable that can survive system rebuilds/migrations. (I don't know where.)
- Add a cron job (or some such) to restart the process once every few days.