starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 08:15:52 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1206] [BUG] lldap_set_password doesn't respect system certificates #428

New issue
Closed
opened 2026-02-27 08:17:15 +03:00 by kerem · 10 comments
kerem commented 2026-02-27 08:17:15 +03:00
Owner
Copy link

Originally created by @BerkhanBerkdemir on GitHub (Jul 8, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1206

Originally assigned to: @Copilot on GitHub.

The lldap_set_password binary does not respect system certificates entirely.

Because of that, if the user brings their own CA or self-signed certificate, they won't able to use lldap_set_password, and thus, their bootstrap.sh will fail during user password update.

This bug report can be reproduced by docker.io/lldap/lldap:stable or docker.io/lldap/lldap:2025-07-06 container.

To Reproduce

Steps to reproduce the behavior:

  1. Run lldap container with entrypoint to bash. 
    podman run -it --network systemd-traefik --dns '2001:db8:7a42:91ce:3f8d:2b15:c094:7e83' --rm --env-file /var/lib/lldap/bootstrap/bootstrap.env -v /var/lib/lldap/bootstrap:/bootstrap --entrypoint bash docker.io/lldap/lldap:stable
  2. Run bootstrap.sh or lldap_set_password 
    bash bootstrap.sh
# or
./lldap_set_password --base-url https://ldap.example.com --admin-password SecretPassw0rd --username john --password SecretPassw0rd
  3. See the following error when you run mentioned methods. bootstrap.sh shows that after user created. 
    Error: While logging in

Caused by:
    0: error sending request for url (https://ldap.example.com/auth/simple/login): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
    1: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
    2: invalid peer certificate: Other(CaUsedAsEndEntity)

Expected behavior

lldap_set_password would have read system certificates or provide a flag/environment variable to point which certificates to read.

Since the mentioned binary doesn't have verbose mode, only the posted error is available.

Originally created by @BerkhanBerkdemir on GitHub (Jul 8, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1206 Originally assigned to: @Copilot on GitHub. The `lldap_set_password` binary does not respect system certificates entirely. Because of that, if the user brings their own CA or self-signed certificate, they won't able to use `lldap_set_password`, and thus, their `bootstrap.sh` will fail during user password update. This bug report can be reproduced by `docker.io/lldap/lldap:stable` or `docker.io/lldap/lldap:2025-07-06` container. **To Reproduce** Steps to reproduce the behavior: 1. Run lldap container with entrypoint to bash. ``` podman run -it --network systemd-traefik --dns '2001:db8:7a42:91ce:3f8d:2b15:c094:7e83' --rm --env-file /var/lib/lldap/bootstrap/bootstrap.env -v /var/lib/lldap/bootstrap:/bootstrap --entrypoint bash docker.io/lldap/lldap:stable ``` 2. Run bootstrap.sh or lldap_set_password ``` bash bootstrap.sh # or ./lldap_set_password --base-url https://ldap.example.com --admin-password SecretPassw0rd --username john --password SecretPassw0rd ``` 3. See the following error when you run mentioned methods. bootstrap.sh shows that after user created. ``` Error: While logging in Caused by: 0: error sending request for url (https://ldap.example.com/auth/simple/login): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) 1: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) 2: invalid peer certificate: Other(CaUsedAsEndEntity) ``` **Expected behavior** `lldap_set_password` would have read system certificates or provide a flag/environment variable to point which certificates to read. Since the mentioned binary doesn't have verbose mode, only the posted error is available.
kerem 2026-02-27 08:17:15 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 8, 2025):

It looks like we just need to add the "rustls-tls-native-roots-no-provider" feature to the crate. In set-password/Cargo.toml, add it to the features of reqwest.

<!-- gh-comment-id:3050184291 --> @nitnelave commented on GitHub (Jul 8, 2025): It looks like we just need to add the "rustls-tls-native-roots-no-provider" feature to the crate. In set-password/Cargo.toml, add it to the features of reqwest.
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 8, 2025):

You can give it a try and tell me if it works for you. @BerkhanBerkdemir

<!-- gh-comment-id:3050257695 --> @nitnelave commented on GitHub (Jul 8, 2025): You can give it a try and tell me if it works for you. @BerkhanBerkdemir
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@BerkhanBerkdemir commented on GitHub (Jul 9, 2025):

Hey @nitnelave! Thanks for the quick patch. I wasn't expecting this to be that simple even though I knew it has something to do with upstream. I am looking in the CI pipeline, but I am not seeing any artifacts that is generated.

https://github.com/lldap/lldap/actions/runs/16154001242/job/45592430171

This CI job failed because of 503? Though, I tried it putting the binary into a container like below

# sudo podman run -it --rm --env-file /var/lib/lldap/bootstrap/bootstrap.env -v /var/lib/lldap/bootstrap:/bootstrap:ro,Z -v "$PWD/lldap_set_password:/app/lldap_set_password:Z" -v /etc/ssl/custom-ca.crt:/usr/local/share/ca-certificates/custom-ca.crt:Z --entrypoint bash docker.io/lldap/lldap:2025-07-06
f3d75986cc23:/app# curl https://ldap.example.com
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
f3d75986cc23:/app# update-ca-certificates
f3d75986cc23:/app# curl https://ldap.example.com
<!doctype html>
...
f3d75986cc23:/app# ./lldap_set_password --base-url https://ldap.example.com --admin-password SecretPassw0rd -u john -p SecretPassw0rd
Error: While logging in

Caused by:
    0: error sending request for url (https://ldap.example.com/auth/simple/login): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
    1: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
    2: invalid peer certificate: Other(CaUsedAsEndEntity)
<!-- gh-comment-id:3050629220 --> @BerkhanBerkdemir commented on GitHub (Jul 9, 2025): Hey @nitnelave! Thanks for the quick patch. I wasn't expecting this to be that simple even though I knew it has something to do with upstream. I am looking in the CI pipeline, but I am not seeing any artifacts that is generated. https://github.com/lldap/lldap/actions/runs/16154001242/job/45592430171 This CI job failed because of 503? Though, I tried it putting the binary into a container like below ``` # sudo podman run -it --rm --env-file /var/lib/lldap/bootstrap/bootstrap.env -v /var/lib/lldap/bootstrap:/bootstrap:ro,Z -v "$PWD/lldap_set_password:/app/lldap_set_password:Z" -v /etc/ssl/custom-ca.crt:/usr/local/share/ca-certificates/custom-ca.crt:Z --entrypoint bash docker.io/lldap/lldap:2025-07-06 f3d75986cc23:/app# curl https://ldap.example.com curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above. f3d75986cc23:/app# update-ca-certificates f3d75986cc23:/app# curl https://ldap.example.com <!doctype html> ... f3d75986cc23:/app# ./lldap_set_password --base-url https://ldap.example.com --admin-password SecretPassw0rd -u john -p SecretPassw0rd Error: While logging in Caused by: 0: error sending request for url (https://ldap.example.com/auth/simple/login): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) 1: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) 2: invalid peer certificate: Other(CaUsedAsEndEntity) ```
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 9, 2025):

There should be a nightly docker build generated within 24h that you can pick up.

That said, I haven't actually tested that it fixed anything :D

<!-- gh-comment-id:3051342901 --> @nitnelave commented on GitHub (Jul 9, 2025): There should be a nightly docker build generated within 24h that you can pick up. That said, I haven't actually tested that it fixed anything :D
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@BerkhanBerkdemir commented on GitHub (Jul 9, 2025):

Apparently, Docker Hub doesn't have any updated containers since July 6 and as well as last push.

<!-- gh-comment-id:3052991776 --> @BerkhanBerkdemir commented on GitHub (Jul 9, 2025): Apparently, Docker Hub doesn't have any updated containers since July 6 and as well as last push.
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@BerkhanBerkdemir commented on GitHub (Jul 9, 2025):

This output is from bootstrap.sh

# podman run --rm \
          --env-file /var/lib/lldap/bootstrap/bootstrap.env \
          --volume /var/lib/lldap/bootstrap:/bootstrap:ro,Z \
          --volume /etc/ssl/custom-ca.crt:/usr/local/share/ca-certificates/custom-ca.crt:ro,Z \
          --entrypoint /bin/bash \  
          docker.io/lldap/lldap:2025-07-06 \
          -c 'update-ca-certificates && bash /app/bootstrap.sh'
...
--- john ---
User "john" successfully updated
Error: error sending request for url (https://ldap.example.com/auth/opaque/register/start): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)

Caused by:
    0: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
    1: invalid peer certificate: Other(CaUsedAsEndEntity)

I guess last thing I will try is to change something in my CA chain.

<!-- gh-comment-id:3053047057 --> @BerkhanBerkdemir commented on GitHub (Jul 9, 2025): This output is from `bootstrap.sh` ``` # podman run --rm \ --env-file /var/lib/lldap/bootstrap/bootstrap.env \ --volume /var/lib/lldap/bootstrap:/bootstrap:ro,Z \ --volume /etc/ssl/custom-ca.crt:/usr/local/share/ca-certificates/custom-ca.crt:ro,Z \ --entrypoint /bin/bash \ docker.io/lldap/lldap:2025-07-06 \ -c 'update-ca-certificates && bash /app/bootstrap.sh' ... --- john --- User "john" successfully updated Error: error sending request for url (https://ldap.example.com/auth/opaque/register/start): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) Caused by: 0: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity) 1: invalid peer certificate: Other(CaUsedAsEndEntity) ``` I guess last thing I will try is to change something in my CA chain.
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 10, 2025):

The pipeline that's supposed to produce the docker image keeps failing. I'll try again, but it's not LLDAP, it's GH actions the problem.

<!-- gh-comment-id:3056358644 --> @nitnelave commented on GitHub (Jul 10, 2025): The pipeline that's supposed to produce the docker image keeps failing. I'll try again, but it's not LLDAP, it's GH actions the problem.
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@BerkhanBerkdemir commented on GitHub (Jul 10, 2025):

Apparently I was using self-signed certificate but not my CA. Now, I added my CA, and I am still getting the following error from docker.io/lldap/lldap:2025-07-06.

However, good news. With docker.io/lldap/lldap:2025-07-10, the problem has been solved. If I omit the CA chain of mine, bootstrap.sh would stuck on 'waiting lldap' because of quiet curl fails to verify the authenticity of the certificate.

One-liner below would help others in the future, I believe.

podman run --rm \
    --env-file /var/lib/lldap/bootstrap/bootstrap.env \
    --volume /var/lib/lldap/bootstrap:/bootstrap \
    --volume /etc/pki/ca-trust/source/anchors/custom-ca.pem:/usr/local/share/ca-certificates/custom-ca.crt \
    --entrypoint /bin/bash \
    docker.io/lldap/lldap:2025-07-10 \
    -c 'update-ca-certificates && bash /app/bootstrap.sh'
<!-- gh-comment-id:3058861650 --> @BerkhanBerkdemir commented on GitHub (Jul 10, 2025): Apparently I was using self-signed certificate but not my CA. Now, I added my CA, and I am still getting the following error from `docker.io/lldap/lldap:2025-07-06`. However, good news. With `docker.io/lldap/lldap:2025-07-10`, the problem has been solved. If I omit the CA chain of mine, `bootstrap.sh` would stuck on 'waiting lldap' because of quiet curl fails to verify the authenticity of the certificate. One-liner below would help others in the future, I believe. ``` podman run --rm \ --env-file /var/lib/lldap/bootstrap/bootstrap.env \ --volume /var/lib/lldap/bootstrap:/bootstrap \ --volume /etc/pki/ca-trust/source/anchors/custom-ca.pem:/usr/local/share/ca-certificates/custom-ca.crt \ --entrypoint /bin/bash \ docker.io/lldap/lldap:2025-07-10 \ -c 'update-ca-certificates && bash /app/bootstrap.sh' ```
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 10, 2025):

So the fix worked? Woohoo!

<!-- gh-comment-id:3058923690 --> @nitnelave commented on GitHub (Jul 10, 2025): So the fix worked? Woohoo!
kerem commented 2026-02-27 08:17:16 +03:00
Author
Owner
Copy link

@BerkhanBerkdemir commented on GitHub (Jul 11, 2025):

It worked, and I am perfecting GitOps part of the project. I've followed some of the documentation, but I am seeing possible improvements. I hope that those improvements are not my architecture specific. This bug report now can be closed :)

<!-- gh-comment-id:3060163884 --> @BerkhanBerkdemir commented on GitHub (Jul 11, 2025): It worked, and I am perfecting GitOps part of the project. I've followed some of the documentation, but I am seeing possible improvements. I hope that those improvements are not my architecture specific. This bug report _now_ can be closed :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#428
No description provided.