Setting up Let’sEncrypt SSL with Bitnami OpenLDAP Docker container

I spent several hours on learning how to setup the Bitnami/openldap docker image to work for my needs. I am not well versed in LDAP, nor am I proficient in SSL. What follows is hopefully a recount of my issue and then how I solved the problem

Setting up a Docker Compose file was fairly straight forward and I was able to connect to the LDAP services over the non-SSL port. See the docker compose file below. The real issue was trying to understand the errors I was seeing while attempting to connect via the secure port

When I ran the following ldapsearch command with the ssl settings (replacing example.org and dc=example,dc=org with my specific domain info)

ldapsearch -LLL -H ldaps://ldap.example.org:1636 -x -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"

The only error I saw said the following

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I figured there may be a port issue, so I attempted to see what I would get with curl and openssl commands. This is what I saw with openssl (note: some data redacted for security reasons)

openssl s_client -connect ldap.example.org:1636 -msg -verify 1
verify depth is 1
CONNECTED(00000003)
>>> TLS 1.0, RecordHeader [length 0005]
    {redaction: some hex data}
>>> TLS 1.3, Handshake [length 013a], ClientHello
    {redaction: more hex data}
>>> TLS 1.0, RecordHeader [length 0005]
    {redaction: and yet some more hex data}
>>> TLS 1.3, Alert [length 0002], fatal decode_error
    02 32
00EE191801000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

This had me thinking there must be something wrong with the certificates I used, although the TLS 1.3, Alert fatal decode_error was a tad confusing as well. I did check the logs in the docker container and saw the following

openldap fd=14 closed (TLS negotiation failure)

So obviously there is something not right with my certificates. I use Let’s Encrypt to setup my certifcates for the web server, and there are four files that are created.

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

I initially used cert.pem for the LDAP_TLS_CERT_FILE, and the privkey.pem for the LDAP_TLS_KEY_FILE and finally the root.pem from Let’s Encrypt for the LDAP_TLS_CA_FILE. This was not working. So for the CA_FILE I decided to try the fullchain.pem, which did not work either. So I did a little Google search for how to use Let’s Encrypt with OpenLDAP and a StackOverflow article gave me an idea to try.

I needed to combine the fullchain.pem file with the root.pem from Let’s Encrypt. Once I did that and restarted the container all worked as planned with the following command (replacing example.org and dc=example,dc=org with my specific domain info)

ldapsearch -LLL -H ldaps://ldap.example.org:1636 -x -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"

Here is my docker-compose.yml file (my domain data replaced with example data)

version: '3.7'

services:
  openldap:
    image: bitnami/openldap
    ports:
      - '1389:1389'
      - '1636:1636'
    environment:
      - LDAP_ROOT=dc=example,dc=org
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=adminpassword
      - LDAP_USERS=myuser1,myuser2
      - LDAP_PASSWORDS=password1,password2
      - LDAP_ENABLE_TLS=yes
      - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
      - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
      - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt
    volumes:
      - 'openldap_data:/bitnami/openldap'
      - './certs:/opt/bitnami/openldap/certs'

volumes:
  openldap_data:
    driver: local

Add a Comment

Your email address will not be published. Required fields are marked *