I am attempting to configure Traefik 2.4.8 as a LDAPS proxy to allow SSL connections to a server that only has unsecure LDAP (port 389) configured. I have been going around in circles with this and I think I have finally nailed down the problem, but I don't know how to fix it.
I have both HTTPS (port 443) and LDAPS (port 636) entrypoints configured:
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: "websecure"
websecure:
address: ":443"
ldaps:
address: ":636"
I have an acme resolver setup for a local private CA to generate certificates. This is working perfectly for the websecure entrypoint with just the root CA certificate installed on the client machine. However, when I try to connect to the ldaps port from the same client machine with an LDAP client I get an error report of an incomplete chain. I have verified via openssl that both ports 443 and 636 are using the same certificate. There is also only one certificate entry in the Traefik server's acme.json file.
I decoded the base64 string from the certificate entry in acme.json and verified that it includes 2 certificates, one for the server and the other for the intermediate CA issuer, just as I would expect. However, it appears that Traefik is just offering up the first certificate on the TCP port. Is there an option that I am missing somewhere in the Traefik config for this?