SSL certificate error when launching LDAP container

[pabsroq]

Hi,

Just unsure about the nature of this error.

our website has a valid certificate, and we have forced "ldap_no_tls_verify = false" from the default true value (also failed in that case as well)

ldap_sync_1    | Error inviting users from ldap. Count 0: Failed to get existing users from server
ldap_sync_1    |
ldap_sync_1    | Caused by:
ldap_sync_1    |     0: Could not get list of existing users from server
ldap_sync_1    |     1: http error making request Error(Hyper(Error(Connect, Custom { kind: Other, error: Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 337047686, library: "SSL routines", function: "tls_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1915 }]))) }, X509VerifyResult { code: 20, error: "unable to get local issuer certificate" }) })), "https://vaultwarden.mydomain.net/admin/")
ldap_sync_1    |     2: https://vaultwarden.mydomain.net/admin/: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
ldap_sync_1    |     3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
ldap_sync_1    |     4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915:

[ViViDboarder]

The ldap_no_tls_verify is only for the connection to the LDAP server, not the Vaultwarden server.

Are you using the alpine image now? Can you try with the non-alpine one?

[pabsroq]

Just set it back to the the latest, still getting the error.
I am failing miserably at identifying the why of the error.
Why would it try to (unable to get local issuer certificate) obtain a local issuer when is just hitting a website with a valid cert? Thx

[pabsroq]

These are the images I am currently using:

vaultwarden/server                                  latest              99bc39992761        8 weeks ago         182MB
vividboarder/vaultwarden_ldap                       latest              7b85d540a818        2 months ago        1.18GB

[Marvin0098]

Hi, is there any update on this issue? I'm running into the same problems.
My certificate is valid and i can connect to https://vault.mydomain.com in the browser without issues. I use Traefik as an reverse proxy in front of my vaultwarden container.

Thx

[ViViDboarder]

Who are your certificates issued by?

[Marvin0098]

They are official wildcard certificates issued from digicert, not from a local CA.

[Oz246]

Hello,

I encounter the same concern,

Is there a solution?

I am using a wildcard certificate for my website which is in https and works via HaProxy

0: Could not get list of existing users from server

1: http error making request Error(Hyper(Error(Connect, Custom { kind: Other, error: Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 337047686, library: "SSL routines", function: "tls_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1915 }]))) }, X509VerifyResult { code: 20, error: "unable to get local issuer certificate" }) })), "https://*****/admin/")

2: https://****/admin/: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)

3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)

4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915:

[ViViDboarder]

My guess is that this is due to a new cert in the chain and that the Docker image needs to be rebuilt with the latest trusted certs.

My ability to test and deploy this is limited right now due to family obligations. If someone can test to see how it works with a newer base image, I could deploy that. Otherwise, it may take me a couple weeks.

[ViViDboarder]

Found a little bit of time. You can test the latest master and master-alpine images. If those work, we should be good.

[Oz246]

Thank you for being quick !!

Problem still present for me

0: Could not get list of existing users from server

1: http error making request Error(Hyper(Error(Connect, Custom { kind: Other, error: Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 337047686, library: "SSL routines", function: "tls_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1913 }]))) }, X509VerifyResult { code: 20, error: "unable to get local issuer certificate" }) })), "https://****/admin/")

2: https://*****/admin/: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1913: (unable to get local issuer certificate)

3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1913: (unable to get local issuer certificate)

4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1913:

[ViViDboarder]

Hmm. I may need to do some reading on how certificate chains are bundled with the Rust TLS libraries. Have you tried both the regular and alpine versions?

[michaelortnersanube]

Hello @ViViDboarder i have try the alpine and the regular master version, both of theme bring the same error.

[michaelortnersanube]

I thinked i have found the error, you have to add the Root certificates to the host. I will test this and give feedback

[michaelortnersanube]

The problem has been resolved. You have to add to Root Certificate of your provider in the /etc/ssl/certs directory of your server, then you have to mount the volume in your docker container. Dont forget to dpkg-reconfigure certificates that they will be added. If you have following certificate: Digicertrootcert.cert.pem you have to rename it to Digicertrootcert.cert and then make the dpkg-reconfigure certificates.

[itiser]

I've got the same problem but it could not be resolved by the steps above.

To clarify:

You installed a ca-certificate on the server, mounted it to the container and executed the "dpkg-reconfigure" in the container?

The command "dpkg-reconfigure certificates" failed in my container ("package certificates is not installed"). Did you mean "dpkg-reconfigure ca-certificates"?

We have an official wildcard certificate issued by Starfield Technologies and the Starfield CA-Certificate is installed by default
on the server (debian 11). So everything should be as required. Right? Or do i misunterstand the process?

Any ideas?

[itiser]

I have installed a missing intermediate ca on the server and now the cert errror in wget is gone (wget -S https://sub.domain.tld) but the error in vw-ldap is still the same... (like mentioned above by Oz246)...

[michaelortnersanube]

hello, what error is coming?

[itiser]

#39 (comment)

[michaelortnersanube]

this is maybe because of your filter i have set a filter to all active users. (&(objectCategory=organizationalPerson)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

[itiser]

I tested my ldap filter with bitwarden directory connector...

this simple filter should also work i think: (objectClass=user) Or not?

[itiser]

i think the error is not (only?) ldap, it is the connection to vaultwarden admin page:
with a text based browser i got the same message which i have to accept manually until i can proceed to
the vw admin page:

[itiser]

OK. I've re-done the whole process and now it works...

so it wasn't the ldap filter (which was wrong too... :-)

[pabsroq]

OK. I've re-done the whole process and now it works...

so it wasn't the ldap filter (which was wrong too... :-)

Which filter did you end up using?
What did you redo within your process?

thx

[pabsroq]

How is this related to LDAP reading though? Thanks!

[itiser]

OK. I've re-done the whole process and now it works...
so it wasn't the ldap filter (which was wrong too... :-)

Which filter did you end up using? What did you redo within your process?

thx

don't know anymore. too long ago. the whole "right-certificates in folders and cache"-thing...

the filter I'm using is:

ldap_search_filter = "(&(objectClass=user)(objectcategory=person)(memberOf=CN=,OU=,OU=,OU=,DC=,DC=)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

you have to replace the stars with your ad-info (maybe more or less ou's...)

it reads like user with mail-address in the selected ad-(sub)directory which is not deactivated (?)
i'm not sure about the userAccountControl-Part... as i said: too long ago...

i hope it helps...