portainer icon indicating copy to clipboard operation
portainer copied to clipboard

Published 20 hours ago verified publisher icon portainer

StartTLS: open /data/tls/ldap/ca.pem: no such file or directory

Open D0wn3r opened this issue 2 years ago • 12 comments

Bug description I'm trying to connect my portainer to my LDAP server with startTLS but when I put the file and check connection I go this error:

portainer_1  | level=info msg="2021/12/13 16:48:11 http error: Unable to connect to LDAP server (err=failed creating LDAP connection: open /data/tls/ldap/ca.pem: no such file or directory) (code=500)"

Like if it doesn't upload my cert.pem file

Expected behavior StartTLS with certif works.

Portainer Logs

portainer_1  | level=info msg="2021/12/13 16:48:11 http error: Unable to connect to LDAP server (err=failed creating LDAP connection: open /data/tls/ldap/ca.pem: no such file or directory) (code=500)"

Steps to reproduce the issue:

  1. Go to 'Settings' -> 'Authentication'
  2. LDAP
  3. Configure LDAP credentials and all configs
  4. Check 'StartTLS'
  5. Upload certificate
  6. Press 'Test connectivity'

Technical details:

  • Portainer version: 2.11.0
  • Docker version (managed by Portainer): 20.10.8
  • Platform (windows/linux): linux
  • Browser: Firefox

D0wn3r avatar Dec 13 '21 16:12 D0wn3r

if I do a volume between /data/tls/ldap/ca.pem and my certif on my host, the check connectivity works fine but I can't press on "Save settings"

D0wn3r avatar Dec 13 '21 17:12 D0wn3r

@D0wn3r Thanks for raising this. I'll look into this, Will come back to you soon. Which external directory source are you using? And Can you share a screenshot? Is Save option greyed out for you?

samdulam avatar Dec 20 '21 15:12 samdulam

Hello, Thank you for taking time to look at this. Which external directory source are you using? If you talking about the mount I did to try "fix" that, it's just a mount between my cert on host and /data/tls/ldap/ca.pem in the conainer of portainer. Is Save option greyed out for you? The button stay greyed that's why I can't save.

I put information and upload my cert: screen1 But when I test connectivity, an error appear: screen2

D0wn3r avatar Dec 21 '21 13:12 D0wn3r

Experiencing the same issue, so I copied my cert into the location that Portainer is looking for. I still need to select a local certificate in that dialog to do so, but the connection tests OK. Despite all this, though, the save button is still greyed out.

I am not sure if this is related or not (let me know and I'll open a separate issue), but upon refresh the server address info is missing from the LDAP settings screen even though authentication still functions as intended. Screen Shot 2022-02-03 at 00 30 12

MaleNurse avatar Feb 03 '22 08:02 MaleNurse

Hello @samdulam, any progress with that topic? would be really important to be able to setup secure LDAP connections for new Portainer Setups. Just following the normal menu, always "/data/tls/ldap/ca.pem: no such file or directory" is displayed. it seems the upload of the TLS CA certificate is not working correct.

Thanks a lot.

Floppsi1 avatar Mar 18 '22 15:03 Floppsi1

Are there any news on that. i have the same issue at the moment and it seems as certificate upload doesn't work

sebbm avatar Apr 29 '22 07:04 sebbm

No :/

D0wn3r avatar Apr 29 '22 07:04 D0wn3r

bug still available with latest version. 2.13.1. no secure connection to the LDAP server anymore possible! Don't understand that no one cares about that. @samdulam could you please have a look at that problem. Thanks.

Floppsi1 avatar May 20 '22 16:05 Floppsi1

Hello, Same issue, the save button is greyed! Thanks

Oneel77 avatar Jun 16 '22 17:06 Oneel77

Bug confirmed, failing to upload the pem file to desired location. As a workaround, you can place the file (eg: ca.pem) in /data/tls/ldap location inside Portainer container's volume.

samdulam avatar Jul 05 '22 04:07 samdulam

@samdulam I'm not sure that's a workaround to be honest -- I mounted /data/tls/ldap/ca.pem as a bind volume and I can pass the connectivity check however as the other users who replied above stated -- there is no way to save the configuration since the save settings button is always greyed out. Not really a workaround.

kevdogg avatar Jul 22 '22 22:07 kevdogg

The bug appears to be with the UI, rather than Portainer's backend. I've been working around this by configuring Portainer via its API.

The LDAP part of the configuration can be done via PUT /settings. From my experience, I've found Portainer doesn't respect any TLSCACert value I set via the API, so I'm still left with placing the CA file in the default location (/data/tls/ldap/ca.pem), and using the API to configure the rest of the LDAP settings (note, you'll have to authenticate via the API first to get a token for the settings request).

As a hint, the body of my PUT /settings request looks roughly like:

{
  "AuthenticationMethod": 2,
  "LDAPSettings": {
    "AnonymousMode": true,
    "ReaderDN": "",
    "URL": "<LDAPS host:port here>",
    "TLSConfig": {
      "TLS": true,
      "TLSSkipVerify": false
    },
    "StartTLS": false,
    "SearchSettings": [
      {
        "BaseDN": "<base DN here>",
        "Filter": "(objectclass=posixAccount)",
        "UserNameAttribute": "uid"
      }
    ],
    "GroupSearchSettings": [
      {
        "GroupBaseDN": "<group base DN here>",
        "GroupFilter": "(objectclass=posixGroup)",
        "GroupAttribute": "memberUid"
      }
    ],
    "AutoCreateUsers": true
  }
}

Note that "AuthenticationMethod": 2 corresponds to LDAP. This doesn't appear to be documented (if it is, it's not easy to find) - I reverse engineered it from inspecting API requests sent by the UI.

MVJosh avatar Jul 25 '22 07:07 MVJosh

linked to https://github.com/portainer/portainer/pull/7340

WaysonWei avatar Sep 05 '22 22:09 WaysonWei