LDAP with Letsencrypt

Hello, everyone! I hope you are having a good day . Im not sure if this is the right place to ask for help, but im having an issue connecting through my LDAP , and since this is my first time using it im really confused on what to do. I have made some research and saw something related with ssl, openssl, slapd and etc , so I thought there must be an issue or things need to be done for it to work . Btw, im currently using the one installed from certbot .

The error im getting is ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) . I have tried using ldapsearch , however im not sure if I also have to indicate the username and password since I don’t know either what to use since they’ve only provided me the ip and port to use . If you would ask me what is this for, Im currently working on our ticketing system which uses Osticket as it main software.

What i produced:

ldap_url_parse_ext(ldaps://10.16.11.129:1636)

ldap_create

ldap_url_parse_ext(ldaps://10.16.11.129:1636/??base)

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP 10.16.11.129:1636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 10.16.11.129:1636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect success

TLS: peer cert untrusted or revoked (0x42)

TLS: can't connect: (unknown error code).

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

My domain is: ***

I ran this command: ldapsearch -H ldaps://helpdesk.dilc.info -x -b "" -s base "objectclass=*" -d1

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is: X

I can login to a root shell on my machine (yes or no, or I don't know): i dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Your help would be much appreciated !

Check that your LDAP server is configured to use your certificate with the "full chain" file instead of the certificate file as otherwise the required intermediates won't be included when talking to the client app.

Do you know what software is running the LDAP server? slapd is the LDAP server from the OpenLDAP project and is a common one, for example.

I think i've already found the problem. I think the client is not trusting the certificate provided by the server. I'll do some more digging and get back to you with more information . Thank you for the help @webprofusion @jscott0

Yes that what the following error would suggest:

The reasons for not trusting a presented cert are various, but include:

• a wrong or expired cert being used (or no cert)
• the certificate chain served is incomplete (e.g. only the main cert is presented and the "intermediate" certs are not)
• the root issuer of the certificate chain is not trusted by the client. This is usually that the clients own certificate trust store is outdated.

OR
Sometimes... When the date is [very] out-of-sync on the client.

Btw, could you guys please enlighten me about the difference or the use of openldap, openssl, slapd , because im not sure where to start . my plan is to regenerate a new ssl but without using certbot . Do you guys have any idea on what or where can i find a documentation ? Thank you !

I saw an ssl folder from ubuntu terminal but im not quite sure how to use that . Also, i saw some people mention a directory like etc/ldap/... but i couldn't find one in mine

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.