LDAP SSL not working after upgrade to 2.4
-
We use jumpcloud as a external LDAP for authenticating our admin users and vpn users. It has worked flawlessly before the upgrade. After the upgrade, It will not allow me to authenticate if I leave the transport in SSL (636). IF I change it to TCP-Standard and 389, everything works. I've checked and nothing has changed in the settings with the CA, the only change was that we've upgraded to 2.4. If I revert back to 2.3, SSL authentication works again?
I get the error
Oct 21 08:07:18 php-fpm 90547 /diag_authentication.php: ERROR! Could not bind to server Jumpcloud.
Oct 21 08:06:38 php-fpm 60714 /system_authservers.php: ERROR! ldap_get_groups() could not bind to server Jumpcloud.Any thoughts?
-
~~Jumpcloud SSL certificate is signed by GoDaddy Intermediate CA.
Not sure why it's a thing in 2.4 but you should import the 'GoDaddy Secure Server Certificate (Intermediate Certificate) - G2' certificate from GoDaddy Secure Server Certificate (Intermediate Certificate) - G2 through the Import option, not Create an Intermediate option.
This will solve all your issues.~~
After further investigation this didn't appear to work. Instead I imported the GoDaddy Class 2 Certification Authority Root Certificate as well as my Jumpcloud certificate and was met with success.
It appears that Jumpcloud certificates being signed by the GoDaddy Root certificate requires the GoDaddy Root certificate to be imported as well.
-
Does jumpcloud not serve the intermediate certificate when you connect to it? What is the hostname you connect to?
-
It still refuses to bind. I shouldn't have to import the Godaddy cert. I'm pointing to jumpcloud, it worked perfectly until upgrade.
-
Importing the GoDaddy Root .pem cert worked.
-
So good times… I recently upgraded our firewalls to 2.4.X and this exact thing happened. it's mentioned that Importing the GoDaddy Root .pem cert should work but I think I'm missing something.
I dowloaded the following - https://certs.godaddy.com/repository/gd-class2-root.crt
I then imported it into the pfSense Cert manager but... I'm not sure if things are supposed to automagically work and I've done something wrong or after I've imported the config am I supposed to change any of the configuration of the JumpCloud authentication server settings.
Thoughts?
-
Did you also try setting the Peer Certificate Authority for the LDAP server to Global Root CA List?