Exception: Connection reset by peer - SSL_connect

Hello,

I am trying to connect to the AD from my Gitlab but I’m getting the below error:

LDAP: … Server: ldapmain
Exception: Connection reset by peer - SSL_connect

Below is my /etc/gitlab/gitlab.rb file:

===============================================================
external_url ‘https://abc.com
nginx[‘redirect_http_to_https’] = true
nginx[‘redirect_http_to_https_port’] = 80
nginx[‘proxy_set_headers’] = {
‘X-Forwarded-Proto’ => ‘http’,
‘CUSTOM_HEADER’ => ‘VALUE’
}
letsencrypt[‘enable’] = false

gitlab_rails[‘ldap_enabled’] = true

###! remember to close this block with ‘EOS’ below
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘LDAP’
host: ‘ad.example.com
port: 636
uid: ‘sAMAccountName’
bind_dn: ‘CN=readonly,OU=Users,OU=xxx,DC=abc,DC=local’
password: ‘password’
encryption: ‘simple_tls’ # start_tls or simple_tls or plain
verify_certificates: true
smartcard_auth: false
active_directory: true
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: ‘OU=Users,OU=xxx,DC=xxx,DC=local’
user_filter: ‘(memberof:1.2.840.113556.1.4.1941:=CN=GitlabAccessGroup,OU=Users,OU=xxx,DC=xxx,DC=local)’
EOS

gitlab_rails[‘backup_keep_time’] = 604800
gitlab_rails[‘backup_upload_connection’] = {
‘provider’ => ‘AWS’,
‘region’ => ‘us-east-1’,
‘use_iam_profile’ => true }

It is working after making the below changes:

port: 389
encryption: 'plain' # start_tls or simple_tls or plain

verify_certificates: true (comment out this line)

But we cannot turn off the encryption and TLS Server authentication.

I have tried below solutions as well, but unfortunately it didn’t worked:

Can someone please guide me how can I solve this issue.

Thank you

Hi, I would try port 636 with plain and see how that goes for you.

There are a few differences when using port 389 and 636. The first being, that with port 389 the initial connection is unencrypted, so therefore it should be utilised with start_tls or simple_tls to then encrypt before continuing the connection. If you are using port 636, then the connection is encrypted already from the start. Therefore, using plain with 636 isn’t going to be a major issue since it’s already encrypted. And TLS won’t work with port 636 anyway, as it’s for use with port 389.