Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved-VPN-LDAP-SSL-CA-Verification-Failed-Letsencrypt

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 655 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      etadmin
      last edited by etadmin

      Hello world,

      It's my first post around here.
      I'm here looking for help about a long term problem who bother me.

      My Issue is about my VPN Configuratio based on a remote authentication server which is using letsencrypt certificates:

      • I've used to change the file /etc/inc/auth.inc in order to have all the fields LDAPTLS_REQCERT=never in order to have my configuration working as i tried to use the CA of letsencrypt as the CA of the configuration without succes.

      Since the last upgrade 2.4.4-RELEASE-p2 (amd64) my tips doesn't work anymore so i'm looking now for a long term solution.

      I hope that i've been clear enough and i'm willing to provide any details which could me lead to a solution and the nicer way to add my contribution.

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        If the LDAP server is using a Let's Encrypt certificate, then in the LDAP auth server settings on pfSense, set Peer Certificate Authority to Global Root CA List. That works for me against an LDAP server running an LE certificate. You do need to make sure the hostname used for the LDAP server matches the name in the certificate. You can fudge that with DNS host overrides if needed.

        Your manual alteration to never validate the certificate is dangerous, and should not be used.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • E Offline
          etadmin
          last edited by

          Hi @jimp ,

          I agree with you.
          It was a badfix when letsencrypt was just added to PFsense.
          I'm looking for a permanent solution now.
          I might have miss something as i've made some tests at several occasions.
          I will make a fresh test with a new pfsense.

          Thanks for your answer. :)

          1 Reply Last reply Reply Quote 0
          • E Offline
            etadmin
            last edited by

            Hi,

            I figured it out my mistake and it's fix for good now.
            Thanks for the help.

            Have a nice week-end.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.