I have set up odk 2 sync endpoint on Amazon Linux EC2 instance successfully. I managed to get a certificate from letsencrypt and installed it into nginx according to guideline. Now I can access the web-ui with https.
However, when I tried to access ldap at https://my.domain.com:40000/ the certificate was invalid and the browser did not allow me to continue. When I viewed the certificate, it was issued by docker-light-baseimage, not by letsencrypt.
I do not know how to used the certificate issued by letsencrypt with ldap. Or, do I need different certificate for ldap?
Yes - the phpldapadmin comes with its own self-signed certificate (usually you can just click details and āContinue to this website (unsafe)ā in the browser or you can install the certificate on the client PCs that need it).
I think that security wise, the phpldapadmin interface should not be exposed directly to the internet as such (ie port 40000 should not be forwarded/open in the firewall), but only accessed from local admin pcsā¦
Thank you Emil. One question. If port 40000 is not exposed directly to the internet, how could we add users and groups to phpldapadmin? Sorry in advance for my naive question.
That depends on your setup - is it possible for you to set up a VPN that can connect you to the āinternalā network of the server and only have port 40000 exposed there? In that case that would be more secureā¦
Additionally I found it useful to add the phpldapadmin container to the reverse proxy and avoid having to use the port altogether. This was a bit more involved, but in the end I got it working with web-ui at my-server.com/web-ui and phpldapadmin at my-server.com/ldap, both served on https with a certificate automatically generated and renewed via certbot.