I was hoping I can use Traefik to encrypt my OpenLDAP traffic. I know that LDAP clients do not support SNI, but as this is the only service running on the machine, I hoped that using HostSNI(
*) and sniStrict = false would do the trick. Letsencrypt issues the certificates right, but Traefik presents the default self-signed certificate to all clients instead of the letsencrypt one.
Here is my config:
[log] level = "DEBUG" [entryPoints] [entryPoints.ldapsecure] address = ":636" [entryPoints.web] address = ":80" [certificatesResolvers.le.acme] email = "haXXX" storage = "/root/storage.json" [certificatesResolvers.le.acme.httpChallenge] entryPoint = "web" [providers] [providers.file] filename = "./dynamic.toml"
[tls.options] [tls.options.default] sniStrict = false [tcp.routers] [tcp.routers.ldaprouter] rule = "HostSNI(`*`)" entryPoints = ["ldapsecure"] service = "ldapservice" [tcp.routers.ldaprouter.tls] options = "default" certResolver = "le" [[tcp.routers.ldaprouter.tls.domains]] main = "ldap.mydomain..." [tcp.services] [tcp.services.ldapservice.loadBalancer] [[tcp.services.ldapservice.loadBalancer.servers]] address = "127.0.0.1:389"
After googling for hours, I found no further hint what else to try, so I hope someone has a clue here.
The log has:
DEBU[2020-10-08T15:00:31+02:00] Handling connection from XX.XX.XX.XX:52302 DEBU[2020-10-08T15:00:31+02:00] Serving default certificate for request: ""
Thanks for any hint!