LDAPS Authentication with Active Directory and Intermediate CA failed
I have the exact same problem as mentioned in this post: https://forum.netgate.com/topic/97138/ldaps-authentication-issue-with-active-directory
I see that it is from 2016 so I thought that I could create a new one since there was no definitive solution provided.
I am trying to add an authentication server but it returns "Description: Unknown CA". We have an Active Directory domain with a Root CA and an Intermediate CA.
I neasted the CA in pfSense according to the documentation provided here: https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html
However, it does not seem to work. When troubleshooting with openssl s_client, I use the -CAfile option and provide the exact same neasted certificate as in pfSense and it seems to work just file, the Verify return code is 0 (ok).
I am not sure what else to try as this problem has been bothering me for a while now.
Pointers and help would be appreciated.
Between tests, connect to the console (ssh or hardware console) and run option 16 and then option 11. After that, repeat the test to see if it succeeds.
@jimp Hi jimp. I Just did, no change.
I FINALLY found it! All I needed to do is it add my Root CA to /etc/ssl/cert.pem and possibly /usr/local/openssl/cert.pem too and it works! That does not seem documented anywhere!
That shouldn't be necessary, and won't survive an upgrade. It's not documented because it's not a procedure anyone should be doing.