Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense sends packet response to LDAP - "Unknown CA"

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ColdBrewC
      ColdBrew
      last edited by

      I have my Windows Domain Controller set up for LDAPS and added it into pfSense. I set it in pfSense to check the LDAP server certificate against the CA that signed the LDAP server certificate, and I have this CA imported into pfSense.

      However, when I test authentication, it fails and I found this packet response from pfSense to the DC:
      d5e96740-26a9-4590-94e8-91674763178b-image.png

      It seems like pfSense is assuming the CA is unknown, even though I have it imported to the trusted store on pfSense.

      Any ideas?

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        How exactly did you import it? Are you sure it's the correct CA cert?

        Did you select it as the peer CA in the LDAP config?

        Steve

        ColdBrewC 1 Reply Last reply Reply Quote 0
        • ColdBrewC
          ColdBrew @stephenw10
          last edited by

          @stephenw10 I opened the CA's cert file and copied the X509 certificate data, it's formatted as:
          -----BEGIN CERTIFICATE-----
          (data)
          -----END CERTIFICATE-----

          I triple-checked that it's the right cert, I compared serial numbers and thumbprints and they matched.

          I selected this CA in the LDAP config in pfSense, yes, and even tried importing the CA as a chain too, no luck there.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I have seen Windows send multiple certs where only one is correct. In which case that error might be expected followed by success. I assume that's not what you see in the pcap though?

            ColdBrewC 1 Reply Last reply Reply Quote 0
            • ColdBrewC
              ColdBrew @stephenw10
              last edited by

              @stephenw10 No I just see one. Is there a way I can extract the certificate from that packet? I'm confident it's sending the correct one right away because I followed Microsoft's guide on importing the LDAP certificate to the NTDS Cert store instead of the computer's store (LDAP will always prefer any cert in the NTDS store over the computer's Personal store).

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Does the hostname pfSense is using match the server cert?

                Is there a time/date discrepancy somewhere?

                ColdBrewC 1 Reply Last reply Reply Quote 0
                • ColdBrewC
                  ColdBrew @stephenw10
                  last edited by

                  @stephenw10 Yes, it's using the FQDN which is the CN/SAN of the certificate.

                  I'll look again but didn't see anything there regarding time/date.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, not much left. Anything logged at either end?

                    ColdBrewC 1 Reply Last reply Reply Quote 0
                    • ColdBrewC
                      ColdBrew @stephenw10
                      last edited by

                      @stephenw10 pfSense doesn't really give me helpful info, it just says authentication failed. All Windows Server is giving me is that the login attempt failed.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Hmm, but it showing a login attempt?

                        That seems odd if pfSense is rejecting the the server cert. I wouldn't expect it to even try really.

                        1 Reply Last reply Reply Quote 0
                        • ColdBrewC
                          ColdBrew
                          last edited by

                          @stephenw10 I just used opennsl s_client to connect to my domain controller and see the presented certificate for LDAPS and confirmed it is in fact the cert I made and designated for it. So, pfSense is definitely both receiving the right cert and also has the right issuer imported as a trusted CA, so I'm not sure why it's rejecting it still. The LDAPS certificate's CN and SAN both are identical to the hostname I'm using to connect to it.

                          1 Reply Last reply Reply Quote 1
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Hmm, what we can see of that error looks a lot like it could be what's shown here:
                            https://redmine.pfsense.org/issues/11626#note-9

                            Except that it shows TLS 1.2.

                            What pfSense version is this?

                            ColdBrewC 1 Reply Last reply Reply Quote 0
                            • ColdBrewC
                              ColdBrew @stephenw10
                              last edited by

                              @stephenw10 It's on the latest CE version, 2.6.0-RELEASE (amd64).

                              Y 1 Reply Last reply Reply Quote 0
                              • Y
                                yqjrnnxq @ColdBrew
                                last edited by

                                @sweber I am having the same issue on 2.7.0-RELEASE. I have also imported the signing certs and tried the "Add this Certificate Authority to the Operating System Trust Store" on and off. The diagnostics options are too vague and not detailed enough. I performed a packet capture while testing with the authentication diagnostics and while the actual error is the "unknown CA" packet message, the pfSense authentication diagnostics logs just says "/diag_authentication.php: ERROR! Could not bind to LDAP server LDAP. Please check the bind credentials.". The logs also say "/diag_authentication.php: LDAP Debug: LDAP connection error flag: false" despite me enabling the "Set debug flag" in the Diagnostics / Authentication test page.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.