Basic questions regarding certificates
in school we have two different networks:
- WLAN - a pfsense regulates the internet access with a captiv portal
- LAN - a barely configurable octogate firewall regulates the internet access
- A windows server (with an LDAP-Server) is in the LAN network. Its defaut gateway is the octogate firewall and its hostname is dc01. The confiuration has already been set to DC=musterschule, DC=schule, DC=paedml.
- On the pfsense a Lets Encrypt certificate was successfully installed.
- It is now possible to connect the windows server from an external computer via LDAP. This worked fine with the correct settings in Firewall -> NAT -> Port Forward and in Firewall -> NAT -> Outbound, thanks to your support here in the forum. The outbound settings are neccessary, because the windows server has an other standard gateway, so that a port forwarding is not sufficient.
When I try to connect with jxplorer I get the error message:
java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found
When I test the certificate with
openssl s_client -showcerts -connect aespfsense.ddnss.de:3026
I get the self signed certificate from the windows server - not from the pfsense.
Now my question: Is it possible that the LDAPS request from the external computer ends with the pfsense, then the valid Lets Encrypt certificate from the pfsense is taken, the pfsense regulates the LDAP query with the windows server and, finally, the pfsense answers the request to the external computer?
In other words: The external computer doesn't recognize that the pfsens is not the LDAP server.
The aim is that I don't have to make any changes on the windows server. I'am always open and thankful for new solutions.
I know this document Troubleshooting LDAP Authentication
But I can't change the hostname of the windows server.
My english isn't verry good and network matters are not my expertise ;-)
Thanks in advance!
I don't think so.
To do that you would need to proxy the LDAP traffic and pfSense is not capable of that. Via the GUI at least.
However you could probably do it via something else that you could port forward to and change the certificates without bothering Windows.