Implement ldaps using SSL for a ldap server using TLS Encryption

Question

We use Google Workspace (GWS) which server ldaps (Secure LDAP) over TLS. When creating new LDAP Clients in GWS, we get

• Bind Username
• Bind Password
• Private Key File (.key file)
• TLS Certificate (.crt file)

I want to connect MongoDB Atlas to Google Directory for User Authentication and it only supports ldaps over SSL. I already have a working Stunnel (https://www.stunnel.org/) setup on a Ubuntu EC2 instance for converting the TLS Tunnel to a non-secure ldap connection.

Note: The certificate and key file is placed under /etc/ssl/private directory

The stunnel configuration file looks like below:

## /etc/stunnel4/stunnel.conf
debug = 2
output = /tmp/stunnel.log

[ldap]
client = yes
accept = $EC2_PRIVATE_IP:1636 ## Listen on port 1636
connect = ldap.google.com:636 ## Forward requests to Google's LDAP server
cert = ldap_crt.crt
key = ldap_key.key

I tried to start an SSL Tunnel using the same configuration file. I tried generating the SSL Certificate as mentioned in this DigitalOcean guide.

## /etc/stunnel4/stunnel.conf
debug = 2
output = /tmp/stunnel.log

[ldap]
client = yes
accept = $EC2_PRIVATE_IP:1636 ## Listen on port 1636
connect = ldap.google.com:636 ## Forward requests to Google's LDAP server
cert = ldap_crt.crt
key = ldap_key.key

[ssl_service]
accept = $EC2_PRIVATE_IP:2929 ## Listen on port 2929
connect = $EC2_PRIVATE_IP:1636 ## Forward to ldap client
cert = mongodb_ssl.pem

After saving the configuration file, I restarted the stunnel service using the command

$ stunnel /etc/stunnel4/stunnel.conf

I receive the following error message:

[ ] Clients allowed=500
[.] stunnel 5.44 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.1.0g  2 Nov 2017
[.] Running  with OpenSSL 1.1.1  11 Sep 2018
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel4/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [ldap]
[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2
[ ] TLS options: 0x02120004 (+0x02000000, -0x00000000)
[ ] Loading certificate from file: ldap_crt.crt
[ ] Certificate loaded from file: ldap_crt.crt
[ ] Loading private key from file: ldap_key.key
[:] Insecure file permissions on ldap_key.key
[ ] Private key loaded from file: ldap_key.key
[ ] Private key check succeeded
[:] Service [ldap] needs authentication to prevent MITM attacks
[ ] Initializing service [ssl_service]
[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2
[ ] TLS options: 0x02124004 (+0x02004000, -0x00000000)
[ ] Loading certificate from file: mongodb_ssl.pem
[!] error queue: 140DC002: error:140DC002:SSL routines:use_certificate_chain_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:file_ctrl:system lib
[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [ssl_service]: Failed to initialize TLS context

After executing the command, I also checked the port numbers but only the ldap service had started:

$ netstat -tulnep
tcp        0      0 172.31.13.255:1636      0.0.0.0:*               LISTEN      0          53162235   6541/stunnel4

Question: How do I resolve this setup so that I can start a SSL tunnel and then again forward the traffic to a TLS tunnel?