Dovecot can't connect to ldap server via ldaps

Question

I have an LDAP server that accepts request through ldaps on port 636. I already use it for many of my applications and I want to have my dovecot server use that for authentication as well.

dovecot ldap config:

uris = ldaps://<<ldap-url>>:636
auth_bind = yes
dn = <<dn>>
dnpass = <<pw>>
ldap_version = 3
base = <<base>>
deref = never
scope = subtree
default_pass_scheme = SSHA
blocking=yes # apparently this sometimes helps, but not in this case

# user filter
#user_attrs = mailHomeDirectory=mail,mailStorageDirectory=mail,mailQuota=quota_rule=*:bytes=%$
user_attrs = 
user_filter = (&(objectClass=mailUser)(maildrop=%u))

# password filter
#pass_attrs  = maildrop=user,userPassword=password
pass_attrs = userPassword=password
pass_filter = (&(objectClass=mailUser)(maildrop=%u))

#iterate_attrs = mail=user
#iterate_filter = (objectClass=mailUser)

The LDAP server is up and running, I can bind to the configured dn with the configured pass and base with JXplorer, but not with dovecot.

relevant log part:

dovecot: auth-worker(15177): Error: LDAP: Can't connect to server: ldaps://ldap.ropi.dev:636

Answer 1

The problem (and by extension the solution) is a pretty unique one. So the whole reason why I started doing all of this is that I want to phase one of my servers. For the most part, I removed all functionality from it and this is the last one.

This also means that I haven't updated my packages in a while.

Now I use LetsEncrypt certificates for my SSL communication. The thing is, one of the certificates in the chain provided by LetsEncrypt has expired on 2021.09.30. Since I haven't updated the system in a while, I didn't have the new certificate for my cert chain. This was the reason why I kept getting tls handshake errors.

So the solution in my case was as simple as:

sudo yum upgrade -y
sudo systemctl restart dovecot

Thank you to @naxto asenjo for helping my uncover the issue.