Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAPS Authentication with Active Directory and Intermediate CA failed

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 747 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jphoude
      last edited by

      Hi,

      I have the exact same problem as mentioned in this post: https://forum.netgate.com/topic/97138/ldaps-authentication-issue-with-active-directory

      I see that it is from 2016 so I thought that I could create a new one since there was no definitive solution provided.

      I am trying to add an authentication server but it returns "Description: Unknown CA". We have an Active Directory domain with a Root CA and an Intermediate CA.

      I neasted the CA in pfSense according to the documentation provided here: https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html

      However, it does not seem to work. When troubleshooting with openssl s_client, I use the -CAfile option and provide the exact same neasted certificate as in pfSense and it seems to work just file, the Verify return code is 0 (ok).

      I am not sure what else to try as this problem has been bothering me for a while now.

      Pointers and help would be appreciated.

      Thanks,
      Jean-Philippe

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Between tests, connect to the console (ssh or hardware console) and run option 16 and then option 11. After that, repeat the test to see if it succeeds.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Reply Quote 0
        • J
          jphoude @jimp
          last edited by

          @jimp Hi jimp. I Just did, no change.

          1 Reply Last reply Reply Quote 0
          • J
            jphoude
            last edited by

            I FINALLY found it! All I needed to do is it add my Root CA to /etc/ssl/cert.pem and possibly /usr/local/openssl/cert.pem too and it works! That does not seem documented anywhere!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              That shouldn't be necessary, and won't survive an upgrade. It's not documented because it's not a procedure anyone should be doing.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • Y
                ya.asoloviev
                last edited by

                LPADS has been working for me for some time, including a test. A few minutes after trying to log out and log in to pfsense, I can’t log in anymore and the SSL connection does not work, I see the error "Unknown CA (48)" in network traffic. What reliable actions need to be done?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.