[GH-ISSUE #525] Support ECKey as private key for lldaps #195

New issue

Closed

opened 2026-02-27 08:15:48 +03:00 by kerem · 4 comments

kerem commented

2026-02-27 08:15:48 +03:00

Owner

Originally created by @Michsior14 on GitHub (Apr 4, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/525

Caddy defaults to ed25519 tls key type.
It would be cool if the certificates generated with standard configuration of Caddy would work with lldap as well.

Originally created by @Michsior14 on GitHub (Apr 4, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/525 Caddy defaults to [ed25519 tls key type](https://caddyserver.com/docs/caddyfile/options#key-type). It would be cool if the certificates generated with standard configuration of Caddy would work with lldap as well.

kerem

2026-02-27 08:15:48 +03:00

closed this issue
added the
enhancement

backend
labels

kerem commented

2026-02-27 08:15:49 +03:00

Author

Owner

@nitnelave commented on GitHub (Apr 4, 2023):

Side note: it would be amazing if you could contribute your Caddy config as well ;)

@nitnelave commented on GitHub (Apr 4, 2023): Side note: it would be amazing if you could contribute your Caddy config as well ;)

kerem commented

2026-02-27 08:15:49 +03:00

Author

Owner

@Michsior14 commented on GitHub (Apr 5, 2023):

Caddy config is very simple:

lldap.example.com {
    log
    
    # lldap frontend is listening on 8080
    reverse_proxy http://127.0.0.1:8080
    
    tls {
        # dns acme challange using aws route 53
        dns route53
    }
}

Workaround that I use for now is to force RSA certificate via global options:

{
    key_type rsa4096
}

The only thing that is not the greatest is that the lldap needs to be restarted every night to ensure the latest certificate from caddy (there is no signal) is used. Alternatively inotify/incron could listen on the file updates and restart lldap whenever needed.

@Michsior14 commented on GitHub (Apr 5, 2023): Caddy config is very simple: ``` lldap.example.com { log # lldap frontend is listening on 8080 reverse_proxy http://127.0.0.1:8080 tls { # dns acme challange using aws route 53 dns route53 } } ``` Workaround that I use for now is to force RSA certificate via global options: ``` { key_type rsa4096 } ``` The only thing that is not the greatest is that the lldap needs to be restarted every night to ensure the latest certificate from caddy (there is no signal) is used. Alternatively inotify/incron could listen on the file updates and restart lldap whenever needed.

kerem commented

2026-02-27 08:15:49 +03:00

Author

Owner

@nitnelave commented on GitHub (Apr 5, 2023):

Why do you need to change the certificate every night? Usually you can get much longer-lived certificates, at least 3 months, no?

@nitnelave commented on GitHub (Apr 5, 2023): Why do you need to change the certificate every night? Usually you can get much longer-lived certificates, at least 3 months, no?

kerem commented

2026-02-27 08:15:49 +03:00

Author

Owner

@Michsior14 commented on GitHub (Apr 5, 2023):

I am using incron to detect the changes and restart only when needed, but without it you won't know when the change happens (caddy can do that week before the 3 months span or it can be days/hours) so it's the safest bet I guess.

@Michsior14 commented on GitHub (Apr 5, 2023): I am using incron to detect the changes and restart only when needed, but without it you won't know when the change happens (caddy can do that week before the 3 months span or it can be days/hours) so it's the safest bet I guess.

kerem referenced this issue

2026-02-27 08:18:10 +03:00

[PR #195] [MERGED] Created example config for Apache Guacamole app #605