Skip to content

[Bug]: LDAPS CA Certificate not working #53033

New issue
New issue
Closed as not planned
Bug
Closed as not planned
[Bug]: LDAPS CA Certificate not working#53033
Bug
Labels
0. Needs triagePending check for reproducibility or if it fits our roadmap32-feedbackbugfeature: ldapneeds infostaleTicket or PR with no recent activity
@maxdallmair

Description

@maxdallmair
maxdallmair
opened on May 21, 2025

Hello everyone,

I am running a Nextcloud AIO instance with docker-compose.
I have installed and configured the LDAP plugin. With the check mark in the setting “Turn off SSL certificate verification.” the connection also works promptly. Unfortunately not with SSL.

Here I had already a discussion in the AIO repository with some infos.
nextcloud/all-in-one#6426

I have set the ENV variable NEXTCLOUD_TRUSTED_CACERTS_DIR: /srv/nextcloud/ssl where my ROOTCA.crt is located in my compose.

According to this guide, that's the only thing to do. GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Unfortunately, the connection does not work. I then executed the following command, which I found in a Git issue.
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:certificates:import /usr/local/share/ca-certificates/ROOTCA-JO-DC.crt

The certificate is then also displayed with this command. Unfortunately, the connection still does not work.
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:certificates

ldaps and Port 636 is configured.

Output of sudo docker info
Client: Docker Engine - Community
Version: 28.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.21.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.33.1
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 12
Running: 10
Paused: 0
Stopped: 2
Images: 23
Server Version: 28.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
runc version: v1.2.4-0-g6c52b3f
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-35-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.823GiB
Name: cloud
ID: 8b885316-a703-4fda-a7e2-d8187eba8786
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false

Expected behavior

LDAP should work with imported ROOTCA.crt

Nextcloud Server version

master

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

None

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
network_mode: bridge # add to the same network as docker run would do
ports:
- 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- 8080:8080
- 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
environment: # Is needed when using any of the options below
NEXTCLOUD_TRUSTED_CACERTS_DIR: /srv/nextcloud/ssl # CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS) See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work

List of activated Apps



Nextcloud Signing status




Nextcloud Logs




Additional info


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    0. Needs triagePending check for reproducibility or if it fits our roadmap32-feedbackbugfeature: ldapneeds infostaleTicket or PR with no recent activity
    Type
    Bug
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions