LDAPS Authentication with Active Directory and Intermediate CA failed
-
Hi,
I have the exact same problem as mentioned in this post: https://forum.netgate.com/topic/97138/ldaps-authentication-issue-with-active-directory
I see that it is from 2016 so I thought that I could create a new one since there was no definitive solution provided.
I am trying to add an authentication server but it returns "Description: Unknown CA". We have an Active Directory domain with a Root CA and an Intermediate CA.
I neasted the CA in pfSense according to the documentation provided here: https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html
However, it does not seem to work. When troubleshooting with openssl s_client, I use the -CAfile option and provide the exact same neasted certificate as in pfSense and it seems to work just file, the Verify return code is 0 (ok).
I am not sure what else to try as this problem has been bothering me for a while now.
Pointers and help would be appreciated.
Thanks,
Jean-Philippe -
Between tests, connect to the console (ssh or hardware console) and run option 16 and then option 11. After that, repeat the test to see if it succeeds.
-
@jimp Hi jimp. I Just did, no change.
-
I FINALLY found it! All I needed to do is it add my Root CA to /etc/ssl/cert.pem and possibly /usr/local/openssl/cert.pem too and it works! That does not seem documented anywhere!
-
That shouldn't be necessary, and won't survive an upgrade. It's not documented because it's not a procedure anyone should be doing.
-
LPADS has been working for me for some time, including a test. A few minutes after trying to log out and log in to pfsense, I can’t log in anymore and the SSL connection does not work, I see the error "Unknown CA (48)" in network traffic. What reliable actions need to be done?
