Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic questions regarding certificates

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 484 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leof.22
      last edited by

      Hello,

      in school we have two different networks:

      1. WLAN - a pfsense regulates the internet access with a captiv portal
      2. LAN - a barely configurable octogate firewall regulates the internet access

      More facts:

      • A windows server (with an LDAP-Server) is in the LAN network. Its defaut gateway is the octogate firewall and its hostname is dc01. The confiuration has already been set to DC=musterschule, DC=schule, DC=paedml.
      • On the pfsense a Lets Encrypt certificate was successfully installed.
      • It is now possible to connect the windows server from an external computer via LDAP. This worked fine with the correct settings in Firewall -> NAT -> Port Forward and in Firewall -> NAT -> Outbound, thanks to your support here in the forum. The outbound settings are neccessary, because the windows server has an other standard gateway, so that a port forwarding is not sufficient.

      When I try to connect with jxplorer I get the error message:

      java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found
      

      When I test the certificate with

      openssl s_client -showcerts -connect aespfsense.ddnss.de:3026
      

      I get the self signed certificate from the windows server - not from the pfsense.

      Now my question: Is it possible that the LDAPS request from the external computer ends with the pfsense, then the valid Lets Encrypt certificate from the pfsense is taken, the pfsense regulates the LDAP query with the windows server and, finally, the pfsense answers the request to the external computer?
      In other words: The external computer doesn't recognize that the pfsens is not the LDAP server.

      The aim is that I don't have to make any changes on the windows server. I'am always open and thankful for new solutions.

      I know this document Troubleshooting LDAP Authentication
      But I can't change the hostname of the windows server.

      My english isn't verry good and network matters are not my expertise ;-)

      Thanks in advance!
      Cheers,
      Leo

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I don't think so.

        To do that you would need to proxy the LDAP traffic and pfSense is not capable of that. Via the GUI at least.

        However you could probably do it via something else that you could port forward to and change the certificates without bothering Windows.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.