Thanks guys for all your input. I believe my problem lies in client authentication on behalf of the server, and not server authentication on behalf of the client.
I didn't include the official IP in either the server or client certificate (I don't believe client needs this), since the server sits on a docker network, and I believe the IP addresses internal to the docker network may change and aren't applicable to servers outside the docker network.
The problem may in fact be the method I used to make my self-signed TLS certificates, since I really cobbled the information from a variety of sources, and in actuality the sources had a lot to do with SSL certificates and not so much to do with TLS certificates. I created my own CA.
The openssl.conf file I used in process is as follows:
[ca] default_ca = my_ca
[ my_ca ] dir = /etc/docker/compose/authelia/certs/openldap #certs = $dir/certs crl_dir = $dir/crl new_certs_dir = ./ database = $dir/index.txt serial = $dir/ca.srl RANDFILE = $dir/.rand
# The root key and root certificate. private_key = $dir/ca/ca-key.pem certificate = $dir/ca/ca.pem
# For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca-crl.pem crl_extensions = crl_ext default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256
name_opt = ca_default cert_opt = ca_default default_days = 3750 preserve = no policy = policy_loose
copy_extensions = copy
[ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[req] default_bits = 4096 default_md = sha256 x509_extensions = v3_ca distinguished_name = req_distinguished_name string_mask = utf8only
[req_distinguished_name] # See https://en.wikipedia.org/wiki/Certificate_signing_request. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address
# Optionally, specify some defaults. countryName_default = US stateOrProvinceName_default = CA localityName_default = CH 0.organizationName_default = domain.com organizationalUnitName_default = emailAddress_default = user@domain.com
[ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ client_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Signed Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth
[ server_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Sign Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names
[alt_names] DNS.1 = openldap.domain.com DNS.2 = ldap.domain.com DNS.3 = openldap IP.1 = 127.0.0.1 IP.2 = ::1
[ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always
I created the server and client cert via the following method according to my notes:
Create Server and client Keys and Certificates Generate Server and Client Keys openssl genrsa -out ./client/key.pem 2048 openssl genrsa -out ./server/key.pem 2048
Generate the certificate Signing Requests openssl req -config openssl.cnf -key ./client/key.pem -new -sha256 -out ./client/cert.csr openssl req -config openssl.cnf -key ./server/key.pem -new -sha256 -out ./server/cert.csr
Create the Server and Client Certificates openssl ca -config openssl.cnf -extensions server-cert -days 3750 -notext -md sha256 -in ./server/cert.csr -out ./server/cert.pem openssl ca -config openssl.cnf -extensions client-cert -days 3750 -notext -md sha256 -in ./client/cert.csr -out ./client/cert.pem
Perhaps I truly don't under understand how to properly create TLS client and server certs which may be part of the issue.