LDAP cant get TLS (ldaps://) to work

[ldehner]

Describe your question/
I am new to authentik and setup LDAP. The ldap:// on port 389 works fine but secured ldaps:// doesent work. I get this error and dont't know what to do anymore.

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

1. Any ideas what I can do?
2. Is it safe to use normal ldap?

Logs

root@PC:/mnt/c/Users/linus# ldapsearch -d 1 -x -H ldaps://192.168.178.2 -D "cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io" -b 'DC=ldap,DC=goauthentik,DC=io' '(objectClass=user)' -Wcc
ldap_url_parse_ext(ldaps://192.168.178.2)
ldap_create
ldap_url_parse_ext(ldaps://192.168.178.2:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.178.2:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.178.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Version and Deployment (please complete the following information):

• authentik version: 2024.10.2
• Deployment: docker via unraid

[mtb-xt]

@ldehner unfortunately, the answer is right there - TLS: peer cert untrusted or revoked (0x42).

You're probably using a self-signed certificate, and your local machine can't validate it. The easiest thing you can do, is use a TCP loadbalancer that has a TLS, to terminate TLS, and then forward traffic internally to port 389.
Like AWS NLB LDAPS port 636 -> authentik port 389

To use plain LDAP securely, you will need StartTLS (and probably would have same issue).
Also, have a look here -> https://stackoverflow.com/questions/25424622/authenticating-a-self-signed-certificate-for-ldaps-connection