Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL CA storage

    Scheduled Pinned Locked Moved webGUI
    4 Posts 2 Posters 726 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mingus
      last edited by

      Hello / hola,
      I'm trying to set up an LDAP server for OpenVPN in pfSense 2.4.4-RELEASE-p2
      and I have hit problem that's had me stumped for hours.

      I have created a CA via cert manager called "internal CA" and have issued a server cert for the ldap server( cn=dns record ) signed by that CA. I have copied the ca.cert, the host.cert and the host.key file to the ldap server and configured

      TLSCertificateFile /etc/ssl/private/host.crt
      TLSCertificateKeyFile /etc/ssl/private/host.key
      TLSCACertificateFile /etc/ssl/rootCA.crt

      correctly. The LDAP server runs happily and from anywhere with the rootCA added running an ldap query over ssl or

      openssl -connect ldap.local.lan:636

      produces a proper chain and "Verify return code: 0 (ok)" - which is as it should be. From the pfsense server I get " Verify return code: 19 (self signed certificate in certificate chain)" UNLESS i copy the ca cert generated from the cert manager page into a temp file and then run:

      openssl s_client -CAfile /tmp/cafile.crt -connect ldap.local.lan:636

      when it works fine (return code: 0 OK). So, what gives? I can see the CA contents in base64 encoded format in the config file. If I cut/paste that data, decode it then run the above command against the pasted into file - it works fine. I'm guessing this is an error in pfsense internals somewhere (looks like config['ca'] but I have no idea what that's set to or how to find out and I have run out of places to look.

      Help!

      TIA.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        because when you run openssl on the command line manually you are using the certificates in ca_root_nss-3.39 Root certificate bundle from the Mozilla Project unless you specify a CA like you did.

        If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        M 1 Reply Last reply Reply Quote 0
        • M
          mingus @Derelict
          last edited by

          @Derelict

          Hi Derelict,

          Thanks for that. I understand the principle but I think maybe I presented my question badly. The command:

          openssl s_client -CAfile /tmp/cafile.crt -connect ldap.local.lan:636

          is using the locally-created CA. " /tmp/cafile.crt" is a copy-paste of the certificate from the web-interface "show CA certificate" and it works there but the ldap SSL connection fails as it doesn't "have" that CA in the chain. The server cert presented by the ldap server (and signed by a CA via the web interface) isn't trusted by the pfsense host that created it.

          In a nutshell my question is "How do you add locally generated CA files to the chain of trust on the pfsense server?" or "How do you get the pfsense server to trust server certificates signed by a CA that is held in the XML file/Web interface ON that same pfsense server?"

          Best,

          Tim

          M 1 Reply Last reply Reply Quote 0
          • M
            mingus @mingus
            last edited by

            @mingus

            *replying to myself"

            Sorry, to clarify some more:

            "If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against."

            That's exactly what I'm doing.

            1. create a local CA via the web interface called "internal".
            2. Use the "internal" CA to sign a server cert for ldap.localstuff.lan via the web interface.
            3. Copy the generated CA.cert server.cert and server,.key onto the ldap server.
            4. Config and test using command line ssl. All good.
            5. Set up an LDAP server connection via the web interface selecting the "internal" CA via the drop down box.
            6. Attempt an SSL connection via the setup page which fails with error "19 (self signed certificate in certificate chain)"
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.