Thanks guys for all your input. I believe my problem lies in client authentication on behalf of the server, and not server authentication on behalf of the client.
I didn't include the official IP in either the server or client certificate (I don't believe client needs this), since the server sits on a docker network, and I believe the IP addresses internal to the docker network may change and aren't applicable to servers outside the docker network. The problem may in fact be the method I used to make my self-signed TLS certificates, since I really cobbled the information from a variety of sources, and in actuality the sources had a lot to do with SSL certificates and not so much to do with TLS certificates. I created my own CA. The openssl.conf file I used in process is as follows: [ca] default_ca = my_ca [ my_ca ] dir = /etc/docker/compose/authelia/certs/openldap #certs = $dir/certs crl_dir = $dir/crl new_certs_dir = ./ database = $dir/index.txt serial = $dir/ca.srl RANDFILE = $dir/.rand # The root key and root certificate. private_key = $dir/ca/ca-key.pem certificate = $dir/ca/ca.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca-crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 3750 preserve = no policy = policy_loose copy_extensions = copy [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 4096 default_md = sha256 x509_extensions = v3_ca distinguished_name = req_distinguished_name string_mask = utf8only [req_distinguished_name] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = US stateOrProvinceName_default = CA localityName_default = CH 0.organizationName_default = domain.com organizationalUnitName_default = emailAddress_default = [email protected] [ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ client_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Signed Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth [ server_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Sign Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = openldap.domain.com DNS.2 = ldap.domain.com DNS.3 = openldap IP.1 = 127.0.0.1 IP.2 = ::1 [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always I created the server and client cert via the following method according to my notes: Create Server and client Keys and Certificates Generate Server and Client Keys openssl genrsa -out ./client/key.pem 2048 openssl genrsa -out ./server/key.pem 2048 Generate the certificate Signing Requests openssl req -config openssl.cnf -key ./client/key.pem -new -sha256 -out ./client/cert.csr openssl req -config openssl.cnf -key ./server/key.pem -new -sha256 -out ./server/cert.csr Create the Server and Client Certificates openssl ca -config openssl.cnf -extensions server-cert -days 3750 -notext -md sha256 -in ./server/cert.csr -out ./server/cert.pem openssl ca -config openssl.cnf -extensions client-cert -days 3750 -notext -md sha256 -in ./client/cert.csr -out ./client/cert.pem Perhaps I truly don't under understand how to properly create TLS client and server certs which may be part of the issue.
