Hello,
I am trying to configure LDAPS for authentication within AWX. I currently have LDAP working, but have been unsuccessful in configuring LDAPS. Here is what I have tried using the instructions I can find.
- I created a pem file with the certificate chain information I received from openssl.
- openssl s_client -connect ldap.server:636 -showcerts
- I copied the cert info, two certs, in the order displayed in the output from above.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-
I created a generic secret using the following:
- kubectl -n awx create secret generic awx-ca-cert --from-file=ldap-ca.crt=/path/to/cert/cert.pem
-
Updated my awx configuration file to reference secret.
- ldap_cacert_secret: awx-ca-cert
- bundle_cacert_secret: awx-ca-cert
-
I have verified that the awx container has the correct cert information:
- kubectl -n awx exec -it deployment/awx-web -c awx-web – cat /etc/openldap/certs/ldap-ca.crt
From what I understand this is how the documentation explains the setup. And yet I am receiving the below error when I have ldaps configured for login.
- kubectl -n awx exec -it deployment/awx-web -c awx-web – cat /etc/openldap/certs/ldap-ca.crt
django_auth_ldap Caught LDAPError while authenticating SSL routines::certificate verify failed (unable to get issuer certificate)
Testing the cert file with the following command:
openssl s_client -connect ldap.server:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt
Results:
Verify return code: 2 (unable to get issuer certificate)
So, I have not configured the cert information correctly, but cannot figure out what precisely the problem is. I’m hoping that someone here can help highlight where I’ve made a mistake(s).
Thank you very much.