search

hacor / unifi-freeradius-ldap

A freeradius docker container to connect to the Google Secure LDAP service
80 stars 31 forks source link

TLS error when attempting to launch container #17

Open taydy00 opened 2 years ago

taydy00 commented 2 years ago

I should note that this is my first time attempting to deploy something in Docker, so if I'm missing something obvious I apologize. I've moved the files Google has given me to the respective certs folder, and configured everything else. However, init.sh refuses to run no matter what I do. No biggie, I assumed maybe I needed to run init.sh from wtihin the container. Now when I go to do sudo docker-compose up it gets so close, but throws the following error: TLS: can't connect: A TLS fatal alert has been received..

I've turned on log output as well, and below is the full log:

unifi-freeradius-ldap_1 | + echo freeradius unifi-freeradius-ldap_1 | + sed -i 's|ACCESS_ALLOWED_CIDR|10.1.1.1/24|g' /etc/freeradius/clients.conf unifi-freeradius-ldap_1 | freeradius unifi-freeradius-ldap_1 | + sed -i 's|SHARED_SECRET|testing123|g' /etc/freeradius/clients.conf unifi-freeradius-ldap_1 | + sed -i 's|BASE_DOMAIN|sages|g' /etc/freeradius/proxy.conf unifi-freeradius-ldap_1 | + sed -i 's|DOMAIN_EXTENSION|us|g' /etc/freeradius/proxy.conf unifi-freeradius-ldap_1 | + sed -i 's|GOOGLE_LDAP_PASSWORD|RebdFZrgrHEXgmqja3BbRTBb|g' /etc/freeradius/mods-available/ldap unifi-freeradius-ldap_1 | + sed -i 's|GOOGLE_LDAP_USERNAME|GruesomeZe|g' /etc/freeradius/mods-available/ldap unifi-freeradius-ldap_1 | + sed -i 's|BASE_DOMAIN|sages|g' /etc/freeradius/mods-available/ldap unifi-freeradius-ldap_1 | + [[ us =~ [.] ]] unifi-freeradius-ldap_1 | + sed -i 's|DOMAIN_EXTENSION|us|g' /etc/freeradius/mods-available/ldap unifi-freeradius-ldap_1 | + cp /certs/ldap-client.key /etc/freeradius/certs/ldap-client.key unifi-freeradius-ldap_1 | + cp /certs/ldap-client.crt /etc/freeradius/certs/ldap-client.crt unifi-freeradius-ldap_1 | + chown freerad:freerad /etc/freeradius/certs/ldap-client.crt /etc/freeradius/certs/ldap-client.key unifi-freeradius-ldap_1 | + chmod 640 /etc/freeradius/certs/ldap-client.crt /etc/freeradius/certs/ldap-client.key unifi-freeradius-ldap_1 | + FILES_640=("ca.key" "server.key" "server.p12" "server.pem" "ldap-client.crt" "ldap-client.key") unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/ca.key ']' unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/server.key ']' unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/server.p12 ']' unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/server.pem ']' unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/ldap-client.crt ']' unifi-freeradius-ldap_1 | + cp /certs/ldap-client.crt /etc/raddb/certs/ldap-client.crt unifi-freeradius-ldap_1 | + chmod 640 /etc/raddb/certs/ldap-client.crt unifi-freeradius-ldap_1 | + for i in "${FILES_640[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/ldap-client.key ']' unifi-freeradius-ldap_1 | + cp /certs/ldap-client.key /etc/raddb/certs/ldap-client.key unifi-freeradius-ldap_1 | + chmod 640 /etc/raddb/certs/ldap-client.key unifi-freeradius-ldap_1 | + FILES_644=("ca.pem" "server.crt" "server.csr" "dh") unifi-freeradius-ldap_1 | + for i in "${FILES_644[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/ca.pem ']' unifi-freeradius-ldap_1 | + for i in "${FILES_644[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/server.crt ']' unifi-freeradius-ldap_1 | + for i in "${FILES_644[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/server.csr ']' unifi-freeradius-ldap_1 | + for i in "${FILES_644[@]}" unifi-freeradius-ldap_1 | + '[' -f /certs/dh ']' unifi-freeradius-ldap_1 | + /docker-entrypoint.sh freeradius unifi-freeradius-ldap_1 | TLS: can't connect: A TLS fatal alert has been received..

Am I missing something obvious? I can't do anything with the CSR until I can get into the container right?

hacor commented 2 years ago

Hello @taydy00

The fact that init.sh won't run means something is not provided correctly. It really should start automatically Did you prepare env/freeradius.env correctly as explained in the README?

Good luck!

Hacor

taydy00 commented 2 years ago

Sorry, I guess I never got back to you! I had, but I've started with a brand new Ubuntu VM. I've also created a brand-new client in Google Admin.

I'm getting the same error, as soon as it tries to drop into docker-entrypoint.sh it throws this TLS error (if I'm reading the output correctly). I can only assume at that point it's trying to talk to Google? I've configured env/freeradius.env as explained in the documentation, and also created a new folder in the root "unifi-freeradius-ldap" folder called "certs", and have thrown the appropriately-named cert files from Google into that folder. Is it possible they need to go somewhere else?

hacor commented 1 year ago

Now it seems I never got back to you... I hope you got it working in the mean time?

taydy00 commented 1 year ago

Unfortunately I never did get this working - must be operator error as I still barely understand docker and how to interact with it. I wound up creating an LXC container with Ubuntu, and following a guide that basically prepared the image as you had prepared this docker container. It did work, so it's definitely not your container. Thanks!