JumpCloud LDAP Authentication over SSL not working
I am trying to set up JumpCloud authentication over LDAPS in pfSense 2.4.4-RELEASE-p3. I have everything working perfectly in LDAP mode over port 389, so I know the configuration is good. However as soon as I switch to SSL mode, the bind fails.
I have read a forum post and a Reddit thread that said that starting with pfSense 2.4, all intermediate CA's need to be imported as well.
I've pulled apart the CA bundle used to trust ldap.jumpcloud.com, and imported the root CA, and two intermedia CA's into the Certificate Manager. pfSense has figured out the relationship between all 3 so this step looks find.
I then select the Go Daddy Secure Certificate Authority - G2 as the CA for the LDAPS connection, but the bind always fails. I have also tried the inbuilt root CA bundle but to no success.
Has anyone got this working, and if so how? It seems fundamentally broken at the moment, unless there's some setting/step somewhere that I've overlooked. The configuration seems right to me - all CA certs are imported as far as the root, and I've told pfSense to use this for LDAPS auth.
Any help appreciated!
Did you import the GoDaddy G2 CAs also? We have seen that is required with Jumpcloud previously.
Yes indeed - I have imported the following certs:
- OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc., C=US
- ST=Arizona, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, CN=Go Daddy Secure Certificate Authority - G2, C=US
- ST=Arizona, O=GoDaddy.com, Inc., L=Scottsdale, CN=Go Daddy Root Certificate Authority - G2, C=US
These certs are all output when you run:
echo -n | openssl s_client -connect ldap.jumpcloud.com:636 -prexit -showcerts
The chain seems complete, but pfSense can't connect using LDAPS.
What actual error do you see? In the logs?
Solved it! I was following the instructions on jumpcloud.com which state to add the GoDaddy CA and intermediate certs. However doing so does not work, and actually breaks the GoDaddy support in the "Global Root CA List".
Behaviour is as follows:
Install GoDaddy cert chain (CA and intermediates):
LDAPS does not work with either the GoDaddy cert chain that was manually imported, or the Global Root CA List.
Delete all GoDaddy related certs:
LDAPS works perfectly with the Global Root CA List.
Thus I guess that importing certs that were already in the Global Root confused things somehow? Anyway, all working now. Is this behaviour expected?
Nice! I'd have to say that's not expected though. Some issues with the wrong certs I'd have to guess.
Thank you @stephenw10 for your help.
I have just discovered something else regarding this. My JumpCloud connection is now working perfectly - however I also have an internal AD server which has a certificate generated with a CA on pfSense itself.
This has worked perfectly for all the time that I've had my pfSense firewall, but since my failed attempt to import the GoDaddy root certs, my internal CA doesn't seem to work any more. My AD Authentication setup used to work perfectly over LDAPS using the locally managed CA but doesn't any more. LDAP over port 389 still works, but SSL validation is now broken.
Is it possible I have broken the internal CA store somehow? Is there a way to fix this or rebuild?
Thanks in advance!