Setting up Let’sEncrypt SSL with Bitnami OpenLDAP Docker container
I spent several hours on learning how to setup the Bitnami/openldap docker image to work for my needs. I am not well versed in LDAP, nor am I proficient in SSL. What follows is hopefully a recount of my issue and then how I solved the problem
Setting up a Docker Compose file was fairly straight forward and I was able to connect to the LDAP services over the non-SSL port. See the docker compose file below. The real issue was trying to understand the errors I was seeing while attempting to connect via the secure port
When I ran the following ldapsearch command with the ssl settings (replacing example.org and dc=example,dc=org with my specific domain info)
ldapsearch -LLL -H ldaps://ldap.example.org:1636 -x -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"The only error I saw said the following
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)I figured there may be a port issue, so I attempted to see what I would get with curl and openssl commands. This is what I saw with openssl (note: some data redacted for security reasons)
openssl s_client -connect ldap.example.org:1636 -msg -verify 1
verify depth is 1
CONNECTED(00000003)
>>> TLS 1.0, RecordHeader [length 0005]
{redaction: some hex data}
>>> TLS 1.3, Handshake [length 013a], ClientHello
{redaction: more hex data}
>>> TLS 1.0, RecordHeader [length 0005]
{redaction: and yet some more hex data}
>>> TLS 1.3, Alert [length 0002], fatal decode_error
02 32
00EE191801000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 326 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)This had me thinking there must be something wrong with the certificates I used, although the TLS 1.3, Alert fatal decode_error was a tad confusing as well. I did check the logs in the docker container and saw the following
openldap fd=14 closed (TLS negotiation failure)So obviously there is something not right with my certificates. I use Let’s Encrypt to setup my certifcates for the web server, and there are four files that are created.
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
I initially used cert.pem for the LDAP_TLS_CERT_FILE, and the privkey.pem for the LDAP_TLS_KEY_FILE and finally the root.pem from Let’s Encrypt for the LDAP_TLS_CA_FILE. This was not working. So for the CA_FILE I decided to try the fullchain.pem, which did not work either. So I did a little Google search for how to use Let’s Encrypt with OpenLDAP and a StackOverflow article gave me an idea to try.
I needed to combine the fullchain.pem file with the root.pem from Let’s Encrypt. Once I did that and restarted the container all worked as planned with the following command (replacing example.org and dc=example,dc=org with my specific domain info)
ldapsearch -LLL -H ldaps://ldap.example.org:1636 -x -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"Here is my docker-compose.yml file (my domain data replaced with example data)
version: '3.7'
services:
openldap:
image: bitnami/openldap
ports:
- '1389:1389'
- '1636:1636'
environment:
- LDAP_ROOT=dc=example,dc=org
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=adminpassword
- LDAP_USERS=myuser1,myuser2
- LDAP_PASSWORDS=password1,password2
- LDAP_ENABLE_TLS=yes
- LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
- LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
- LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt
volumes:
- 'openldap_data:/bitnami/openldap'
- './certs:/opt/bitnami/openldap/certs'
volumes:
openldap_data:
driver: local
How I use Docker and WordPress for website development
Using Docker to host multiple website containers on one server
