default-ca.pem baked into the image is now expired

[libeks]

openssl x509 -in /container/service/slapd/assets/certs/ca.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09:f4:3e:9b:4a:60:67:f0:63:60:02:6f:c6:b9:ff:6d:d1:8d:66:89
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = A1A Car Wash, OU = Information Technology Dep., L = Albuquerque, ST = New Mexico, CN = docker-light-baseimage
        Validity
            Not Before: Dec 23 13:53:00 2015 GMT
            Not After : Dec 21 13:53:00 2020 GMT
        Subject: C = US, O = A1A Car Wash, OU = Information Technology Dep., L = Albuquerque, ST = New Mexico, CN = docker-light-baseimage
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:c6:5f:ff:5d:a9:ba:90:20:97:c4:a6:fa:3f:06:
                    9a:33:5e:35:b4:85:01:95:96:a1:39:88:bd:fd:8c:
                    bb:82:d6:3c:7c:b8:6d:39:5d:91:08:07:51:b0:69:
                    4f:7c:56:cf:c7:f4:94:1f:eb:bb:be:7d:e8:21:ec:
                    1a:82:f6:03:6f:21:c6:e7:25:ab:98:5b:53:1d:72:
                    ac:8b:77:6c:92:18:dd:3b:a2:5f:6e:47:19:37:ba:
                    90:60:89:3c:1d:5a:2d
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
            X509v3 Subject Key Identifier:
                4F:A5:E9:7A:25:5C:30:18:9C:62:D3:97:85:BA:50:B2:87:AE:6E:F8
            X509v3 Authority Key Identifier:
                keyid:4F:A5:E9:7A:25:5C:30:18:9C:62:D3:97:85:BA:50:B2:87:AE:6E:F8

    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:31:00:97:2d:98:fc:a2:4c:b1:5b:a5:13:2f:b8:6b:
         89:b5:14:6e:ee:b7:3d:b8:ee:c0:85:e7:c2:2e:36:d0:37:4d:
         b2:f0:3d:03:b7:dc:40:45:d2:71:61:4b:5c:01:82:f2:b9:02:
         30:67:2a:c1:76:4f:49:17:f0:b8:8f:6b:f9:1d:75:81:3a:cf:
         f7:68:67:69:5c:6c:f6:c8:d1:8a:47:2d:a6:44:29:3b:23:65:
         21:71:4f:a2:91:4a:f0:57:5f:58:fc:a9:bc

[MichaelKim0407]

The easiest solution is to mount the folder containing the ca certs as a volume, and renew the ca certs.

The path is /container/service/:ssl-tools/assets/default-ca and there is a README file in it.

After renewing the ca certs, recreate the container so that it will sign new certificates for ldap.

[heidemn-faro]

Haven't tried yet, but might rebuilding the image also do the job?
https://github.com/osixia/docker-openldap#make-your-own-openldap-image

[libeks]

What I mean to say is that this section of the README is inaccurate and should either be removed, or the default-ca.crt file should be updated.

https://github.com/osixia/docker-openldap/blob/stable/README.md#tls

[heidemn-faro]

@libeks yes it should definitely be updated.
The old one was valid 2015 - 2020, so this should't cause too much recurring effort ;-)

[heidemn]

@BertrandGouny I think this issue should remain open until #521 is merged:
The Dockerfile doesn't use "latest" but a fixed version of the base image, so it must be updated manually, if I'm not wrong.