Solved-VPN-LDAP-SSL-CA-Verification-Failed-Letsencrypt



  • Hello world,

    It's my first post around here.
    I'm here looking for help about a long term problem who bother me.

    My Issue is about my VPN Configuratio based on a remote authentication server which is using letsencrypt certificates:

    • I've used to change the file /etc/inc/auth.inc in order to have all the fields LDAPTLS_REQCERT=never in order to have my configuration working as i tried to use the CA of letsencrypt as the CA of the configuration without succes.

    Since the last upgrade 2.4.4-RELEASE-p2 (amd64) my tips doesn't work anymore so i'm looking now for a long term solution.

    I hope that i've been clear enough and i'm willing to provide any details which could me lead to a solution and the nicer way to add my contribution.

    Thanks


  • Rebel Alliance Developer Netgate

    If the LDAP server is using a Let's Encrypt certificate, then in the LDAP auth server settings on pfSense, set Peer Certificate Authority to Global Root CA List. That works for me against an LDAP server running an LE certificate. You do need to make sure the hostname used for the LDAP server matches the name in the certificate. You can fudge that with DNS host overrides if needed.

    Your manual alteration to never validate the certificate is dangerous, and should not be used.



  • Hi @jimp ,

    I agree with you.
    It was a badfix when letsencrypt was just added to PFsense.
    I'm looking for a permanent solution now.
    I might have miss something as i've made some tests at several occasions.
    I will make a fresh test with a new pfsense.

    Thanks for your answer. :)



  • Hi,

    I figured it out my mistake and it's fix for good now.
    Thanks for the help.

    Have a nice week-end.