SSL CA storage



  • Hello / hola,
    I'm trying to set up an LDAP server for OpenVPN in pfSense 2.4.4-RELEASE-p2
    and I have hit problem that's had me stumped for hours.

    I have created a CA via cert manager called "internal CA" and have issued a server cert for the ldap server( cn=dns record ) signed by that CA. I have copied the ca.cert, the host.cert and the host.key file to the ldap server and configured

    TLSCertificateFile /etc/ssl/private/host.crt
    TLSCertificateKeyFile /etc/ssl/private/host.key
    TLSCACertificateFile /etc/ssl/rootCA.crt

    correctly. The LDAP server runs happily and from anywhere with the rootCA added running an ldap query over ssl or

    openssl -connect ldap.local.lan:636

    produces a proper chain and "Verify return code: 0 (ok)" - which is as it should be. From the pfsense server I get " Verify return code: 19 (self signed certificate in certificate chain)" UNLESS i copy the ca cert generated from the cert manager page into a temp file and then run:

    openssl s_client -CAfile /tmp/cafile.crt -connect ldap.local.lan:636

    when it works fine (return code: 0 OK). So, what gives? I can see the CA contents in base64 encoded format in the config file. If I cut/paste that data, decode it then run the above command against the pasted into file - it works fine. I'm guessing this is an error in pfsense internals somewhere (looks like config['ca'] but I have no idea what that's set to or how to find out and I have run out of places to look.

    Help!

    TIA.


  • LAYER 8 Netgate

    because when you run openssl on the command line manually you are using the certificates in ca_root_nss-3.39 Root certificate bundle from the Mozilla Project unless you specify a CA like you did.

    If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against.



  • @Derelict

    Hi Derelict,

    Thanks for that. I understand the principle but I think maybe I presented my question badly. The command:

    openssl s_client -CAfile /tmp/cafile.crt -connect ldap.local.lan:636

    is using the locally-created CA. " /tmp/cafile.crt" is a copy-paste of the certificate from the web-interface "show CA certificate" and it works there but the ldap SSL connection fails as it doesn't "have" that CA in the chain. The server cert presented by the ldap server (and signed by a CA via the web interface) isn't trusted by the pfsense host that created it.

    In a nutshell my question is "How do you add locally generated CA files to the chain of trust on the pfsense server?" or "How do you get the pfsense server to trust server certificates signed by a CA that is held in the XML file/Web interface ON that same pfsense server?"

    Best,

    Tim



  • @mingus

    *replying to myself"

    Sorry, to clarify some more:

    "If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against."

    That's exactly what I'm doing.

    1. create a local CA via the web interface called "internal".
    2. Use the "internal" CA to sign a server cert for ldap.localstuff.lan via the web interface.
    3. Copy the generated CA.cert server.cert and server,.key onto the ldap server.
    4. Config and test using command line ssl. All good.
    5. Set up an LDAP server connection via the web interface selecting the "internal" CA via the drop down box.
    6. Attempt an SSL connection via the setup page which fails with error "19 (self signed certificate in certificate chain)"

Log in to reply