LDAPSocketOpenError

[securitytime]

I used Certipy against a few HTB machines without any issues. Now I setup my own Windows server 2019 VM and I'm getting the following error:

$ ./venv/bin/certipy find -u ###### -p ######## -dc-ip 192.168.56.15 -ns 192.168.56.15 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Authenticating to LDAP server
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
Traceback (most recent call last):
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/lib/ldap.py", line 77, in connect
    self.connect(version=ssl.PROTOCOL_TLSv1_2)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/lib/ldap.py", line 136, in connect
    bind_result = ldap_conn.bind()
                  ^^^^^^^^^^^^^^^^
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/commands/find.py", line 1179, in entry
    find.find()
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/commands/find.py", line 165, in find
    connection = self.connection
                 ^^^^^^^^^^^^^^^
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/commands/find.py", line 124, in connection
    self._connection.connect()
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/lib/ldap.py", line 83, in connect
    self.connect(version=ssl.PROTOCOL_TLSv1)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/certipy/lib/ldap.py", line 136, in connect
    bind_result = ldap_conn.bind()
                  ^^^^^^^^^^^^^^^^
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/home/kali/Temp/venv/lib/python3.11/site-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 104] Connection reset by peer

The Windows server 2019 installation is pretty straightforward. I used the 180 days evaluation ISO, installed all Windows patches, then I added Active Directory Domain Services and then I added Active Directory Certificates Services (here I selected Certification Authority role and later Enterprise CA). To install certipy, I ran ./venv/bin/python -m pip install certipy-ad bloodhound.py works fine.

[ly4k]

Certipy uses LDAPS by default, you can switch to LDAP with -scheme or -ldap-scheme. Alternatively you must request a certificate for server authentication for your domain controller. It fails because the domain controller doesn't have a certificate to use. Log on to the DC as domain admin, then search for Computer Certificates and follow the guide to request a new certificate. Choose the Domain Controller option

[securitytime]

Thanks for your detailed explanation! The switch -scheme ldap helped.