docker-openldap icon indicating copy to clipboard operation
docker-openldap copied to clipboard
verified publisher icon osixia

ssl tls letsencrypt traefik

Open CodingJaw opened this issue 5 years ago • 6 comments

I've been trying to setup openldap using the certs dumped from the acme.json files but for some reason there not much that points out how to do this successfully.

I have been using ldez/traefik-certs-dumper to get access to the sans certs i created with traefik v2 it dumps like:

$ traefik-certs-dumper file --domain-subdir=true dump ├──domain.com │ ├──certificate.crt │ └──privatekey.key └──private └──letsencrypt.key

and i figued out that i need the root ca public key using the following:

wget http://apps.identrust.com/roots/dstrootcax3.p7c

and the following to convert it to pem:

openssl pkcs7 -inform der -in dstrootcax3.p7c -out ${VOLUMES}/certs/dstrootcax3.pem -print_certs

my traefik compose file contains:

labels:
  traefik.http.routers.traefik.tls: true
  traefik.http.routers.traefik.tls.certresolver: mytlschallenge
  traefik.http.routers.traefik.tls.domains[0].main: domain.com
  traefik.http.routers.traefik.tls.domains[0].sans: '*.domain.com'

and my openldap compose file contains:

openldap: image: osixia/openldap:1.3.0 container_name: ldap.domain.com command: - "--copy-service" - "--loglevel=debug" environment: - LDAP_LOG_LEVEL=256 - LDAP_ORGANISATION=domain - LDAP_DOMAIN=domain.com - LDAP_ADMIN_PASSWORD=helloworld - LDAP_CONFIG_PASSWORD=helloworld - LDAP_READONLY_USER=true - LDAP_READONLY_USER_USERNAME=readonly - LDAP_READONLY_USER_PASSWORD=readonly - LDAP_ADDITIONAL_MODULES=memberof - LDAP_ADDITIONAL_SCHEMAS=openldap - LDAP_TLS=true - LDAP_TLS_VERIFY_CLIENT=true - LDAP_TLS_CRT_FILENAME=domain.com/certificate.crt - LDAP_TLS_KEY_FILENAME=domain.com/privatekey.key - LDAP_TLS_CA_CRT_FILENAME=dstrootcax3.pem volumes: - ${VOLUMES}/ldap/custom_config:/container/service/slapd/assets/config/bootstrap/ldif/custom - ${VOLUMES}/ldap/data:/var/lib/ldap - ${VOLUMES}/ldap/slapd:/etc/ldap/slapd.d - ${VOLUMES}/certs:/container/service/slapd/assets/certs expose: - 389 - 636

from the inside of my container i executed the following to test:

root@4865960a2e2e:# openssl s_client -showcerts -connect localhost:636 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = domain.com verify return:1 write:errno=0 Certificate chain 0 s:CN = domain.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- blah -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- blah -----END CERTIFICATE----- Server certificate subject=CN = domain.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Acceptable client certificate CA names O = Digital Signature Trust Co., CN = DST Root CA X3 Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519 Shared Requested Signature Algorithms: RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits SSL handshake has read 3623 bytes and written 388 bytes Verification error: unable to get local issuer certificate New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: ****** Session-ID-ctx: Master-Key: ****** PSK identity: None PSK identity hint: None SRP username: None Start Time: 1605812151 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes

in reading other posts it seems like I'm suppose to setup a self-signed openssl cert for the CA but isn't that what traefik and letsencrypt has already done? this seems to be something many others are trying to do so I'm not sure if its possible or not? I cant seem to find anything that would explain this any further. so i figured i would open a ticket to see if anyone else has any suggestions or can point me in the right direction?

CodingJaw avatar Nov 19 '20 20:11 CodingJaw

Self-signed certs are used if you want to use client certificates.

kevdogg avatar Dec 20 '20 03:12 kevdogg

@CodingJaw did you get it working?

GoliathLabs avatar Nov 22 '22 14:11 GoliathLabs

@CodingJaw did you get it working?

Curious as well. I've used the docker-openldap container now for about a year using self-signed certs. Wondering about your methods.

kevdogg avatar Nov 22 '22 19:11 kevdogg

@CodingJaw did you get it working?

Curious as well. I've used the docker-openldap container now for about a year using self-signed certs. Wondering about your methods.

Same here

GoliathLabs avatar Nov 23 '22 10:11 GoliathLabs

@kevdogg I got it working btw

I've added the following service to my docker-compose.yml

  openldap-cert:
    image: humenius/traefik-certs-dumper:latest
    volumes:
    - /opt/containers/traefik/data:/traefik:ro
    - ./certs:/output:rw
    environment:
    - DOMAIN=ldap.example.com
    - COMBINED_PEM=chain.pem
    - OVERRIDE_UID=977
    - OVERRIDE_GID=977

In your .env file for the openldap container, add the following:

LDAP_SSL_HELPER_PREFIX=ldap
LDAP_TLS=true
LDAP_TLS_VERIFY_CLIENT=try
LDAP_TLS_CRT_FILENAME=cert.pem
LDAP_TLS_KEY_FILENAME=key.pem
LDAP_TLS_CA_CRT_FILENAME: chain.pem
LDAP_TLS_VERIFY_CLIENT: "try"

Make sure that you've got the ldap.example.com certificate in your acme.json file. Otherwise it will fail.

Feel free to leave some feedback whether it did work

GoliathLabs avatar Dec 10 '22 16:12 GoliathLabs

@kevdogg I got it working btw

I've added the following service to my docker-compose.yml

  openldap-cert:
    image: humenius/traefik-certs-dumper:latest
    volumes:
    - /opt/containers/traefik/data:/traefik:ro
    - ./certs:/output:rw
    environment:
    - DOMAIN=ldap.example.com
    - COMBINED_PEM=chain.pem
    - OVERRIDE_UID=977
    - OVERRIDE_GID=977

In your .env file for the openldap container, add the following:

LDAP_SSL_HELPER_PREFIX=ldap
LDAP_TLS=true
LDAP_TLS_VERIFY_CLIENT=try
LDAP_TLS_CRT_FILENAME=cert.pem
LDAP_TLS_KEY_FILENAME=key.pem
LDAP_TLS_CA_CRT_FILENAME: chain.pem
LDAP_TLS_VERIFY_CLIENT: "try"

Make sure that you've got the ldap.example.com certificate in your acme.json file. Otherwise it will fail.

Feel free to leave some feedback whether it did work

Thank you for your solution !

It works great when publishing port 636 directly on the openldap container. I also manage to go through a TLS TCP router on my Traefik proxy for ldaps by setting the passthrough option to true

fahrenheit9 avatar Jan 06 '23 13:01 fahrenheit9