Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    JumpCloud LDAP Authentication over SSL not working

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sparkyjf
      last edited by

      Hi all

      I am trying to set up JumpCloud authentication over LDAPS in pfSense 2.4.4-RELEASE-p3. I have everything working perfectly in LDAP mode over port 389, so I know the configuration is good. However as soon as I switch to SSL mode, the bind fails.

      I have read a forum post and a Reddit thread that said that starting with pfSense 2.4, all intermediate CA's need to be imported as well.

      I've pulled apart the CA bundle used to trust ldap.jumpcloud.com, and imported the root CA, and two intermedia CA's into the Certificate Manager. pfSense has figured out the relationship between all 3 so this step looks find.

      I then select the Go Daddy Secure Certificate Authority - G2 as the CA for the LDAPS connection, but the bind always fails. I have also tried the inbuilt root CA bundle but to no success.

      Has anyone got this working, and if so how? It seems fundamentally broken at the moment, unless there's some setting/step somewhere that I've overlooked. The configuration seems right to me - all CA certs are imported as far as the root, and I've told pfSense to use this for LDAPS auth.

      Any help appreciated!

      James

      manjotscM 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Did you import the GoDaddy G2 CAs also? We have seen that is required with Jumpcloud previously.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          sparkyjf
          last edited by

          Yes indeed - I have imported the following certs:

          • OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
          • ST=Arizona, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, CN=Go Daddy Secure Certificate Authority - G2, C=US
          • ST=Arizona, O=GoDaddy.com, Inc., L=Scottsdale, CN=Go Daddy Root Certificate Authority - G2, C=US

          These certs are all output when you run:

          echo -n | openssl s_client -connect ldap.jumpcloud.com:636 -prexit -showcerts
          

          The chain seems complete, but pfSense can't connect using LDAPS.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            What actual error do you see? In the logs?

            Steve

            1 Reply Last reply Reply Quote 0
            • S
              sparkyjf
              last edited by

              Solved it! I was following the instructions on jumpcloud.com which state to add the GoDaddy CA and intermediate certs. However doing so does not work, and actually breaks the GoDaddy support in the "Global Root CA List".

              Behaviour is as follows:

              Install GoDaddy cert chain (CA and intermediates):

              LDAPS does not work with either the GoDaddy cert chain that was manually imported, or the Global Root CA List.

              Delete all GoDaddy related certs:

              LDAPS works perfectly with the Global Root CA List.

              Thus I guess that importing certs that were already in the Global Root confused things somehow? Anyway, all working now. Is this behaviour expected?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Nice! I'd have to say that's not expected though. Some issues with the wrong certs I'd have to guess.

                Steve

                1 Reply Last reply Reply Quote 0
                • S
                  sparkyjf
                  last edited by

                  Thank you @stephenw10 for your help.

                  I have just discovered something else regarding this. My JumpCloud connection is now working perfectly - however I also have an internal AD server which has a certificate generated with a CA on pfSense itself.

                  This has worked perfectly for all the time that I've had my pfSense firewall, but since my failed attempt to import the GoDaddy root certs, my internal CA doesn't seem to work any more. My AD Authentication setup used to work perfectly over LDAPS using the locally managed CA but doesn't any more. LDAP over port 389 still works, but SSL validation is now broken.

                  Is it possible I have broken the internal CA store somehow? Is there a way to fix this or rebuild?

                  Thanks in advance!

                  1 Reply Last reply Reply Quote 0
                  • manjotscM
                    manjotsc @sparkyjf
                    last edited by

                    @sparkyjf Can you share the JumpCloud config on pfsense would be really helpful.

                    Thanks,

                    Vendor: HP
                    Version: P01 Ver. 02.50
                    Release Date: Wed Jul 17 2024
                    Boot Method: UEFI
                    24.11-RELEASE (amd64)
                    FreeBSD 15.0-CURRENT
                    CPU Type: Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz
                    Current: 3606 MHz, Max: 3400 MHz
                    4 CPUs : 1 package(s) x 4 core(s)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.