-
-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS/SSL issue with LDAP + Let's Encrypt Certs #5
Comments
Let's Encrypt certificates should be accepted, the CA certs are bundled with Stalwart. Do you see any warnings of errors if you run The Can your LDAP server be accessed from the internet? If you want I can also try debugging this from my side, I just need the hostname (you can email it to |
I'll shoot the email over in just a second, but here's the output from openssl:
|
Thanks, got the email. I'll look into it this afternoon and send you an update. |
I just tried connecting to your server over SSL and it seems to be working fine. I get an error code 32 ( [directory."ldap"]
type = "ldap"
address = "ldaps://ldap.xyz.com:636" |
Still a no-go, even if I specify port number. For whatever reason it keeps spitting out a TLS negotiation error in the OpenLDAP logs and Stalwart spits out an error about the certificates being presented by OpenLDAP being from an unknown issuer. I'm not sure if this might be specific to the arm64 container or whatnot but I can get it to work with LDAPS as long as I disable certificate verification, so I can do that for now at least. Normally I'd just use ldapi to connect via unix socket but for now I can just connect over localhost and turn off the cert verification. |
I have confirmed this is a container issue, the CA certs are missing. To fix it login to the container and run: $ apt-get update
$ apt-get install ca-certificates I'll update the Dockerfile now. |
Btw, I incorrectly said that the LDAP directory did not support self-signed certificates. It does support this as well as STARTLS. I'll be updating soon the documentation: The connection details for the LDAP directory are specified under the
For example, [directory."ldap"]
type = "ldap"
address = "ldap://localhost:3893"
base-dn = "dc=example,dc=org"
tls = true
allow-invalid-certs = false |
New dockerfile fixed it. Thanks! |
Great! I'll group some other changes and publish a new version soon. |
First off, I'm using the docker image stalwartlabs/mail-server:latest on arm64.
Tried connecting to OpenLDAP via ports 389 (starttls) and 636 (ssl) but it ends up timing out with the following:
Checking the logs from OpenLDAP I noticed the following:
I'm using Let's Encrypt certs, they're currently valid, and I'm not getting any errors from any other services. I'm guessing there is an issue with ca certs not being present in the docker image or they're not getting imported by rustls.
I dug around the source and found where/how to disable certificate validation, which did allow me to connect to my directory, but I also noticed that where to put these options wasn't in the documentation:
Thanks!
The text was updated successfully, but these errors were encountered: