pfSense sends packet response to LDAP - "Unknown CA"
-
I have my Windows Domain Controller set up for LDAPS and added it into pfSense. I set it in pfSense to check the LDAP server certificate against the CA that signed the LDAP server certificate, and I have this CA imported into pfSense.
However, when I test authentication, it fails and I found this packet response from pfSense to the DC:
It seems like pfSense is assuming the CA is unknown, even though I have it imported to the trusted store on pfSense.
Any ideas?
-
How exactly did you import it? Are you sure it's the correct CA cert?
Did you select it as the peer CA in the LDAP config?
Steve
-
@stephenw10 I opened the CA's cert file and copied the X509 certificate data, it's formatted as:
-----BEGIN CERTIFICATE-----
(data)
-----END CERTIFICATE-----I triple-checked that it's the right cert, I compared serial numbers and thumbprints and they matched.
I selected this CA in the LDAP config in pfSense, yes, and even tried importing the CA as a chain too, no luck there.
-
I have seen Windows send multiple certs where only one is correct. In which case that error might be expected followed by success. I assume that's not what you see in the pcap though?
-
@stephenw10 No I just see one. Is there a way I can extract the certificate from that packet? I'm confident it's sending the correct one right away because I followed Microsoft's guide on importing the LDAP certificate to the NTDS Cert store instead of the computer's store (LDAP will always prefer any cert in the NTDS store over the computer's Personal store).
-
Does the hostname pfSense is using match the server cert?
Is there a time/date discrepancy somewhere?
-
@stephenw10 Yes, it's using the FQDN which is the CN/SAN of the certificate.
I'll look again but didn't see anything there regarding time/date.
-
Hmm, not much left. Anything logged at either end?
-
@stephenw10 pfSense doesn't really give me helpful info, it just says authentication failed. All Windows Server is giving me is that the login attempt failed.
-
Hmm, but it showing a login attempt?
That seems odd if pfSense is rejecting the the server cert. I wouldn't expect it to even try really.
-
@stephenw10 I just used opennsl s_client to connect to my domain controller and see the presented certificate for LDAPS and confirmed it is in fact the cert I made and designated for it. So, pfSense is definitely both receiving the right cert and also has the right issuer imported as a trusted CA, so I'm not sure why it's rejecting it still. The LDAPS certificate's CN and SAN both are identical to the hostname I'm using to connect to it.
-
Hmm, what we can see of that error looks a lot like it could be what's shown here:
https://redmine.pfsense.org/issues/11626#note-9Except that it shows TLS 1.2.
What pfSense version is this?
-
@stephenw10 It's on the latest CE version, 2.6.0-RELEASE (amd64).
-
@sweber I am having the same issue on 2.7.0-RELEASE. I have also imported the signing certs and tried the "Add this Certificate Authority to the Operating System Trust Store" on and off. The diagnostics options are too vague and not detailed enough. I performed a packet capture while testing with the authentication diagnostics and while the actual error is the "unknown CA" packet message, the pfSense authentication diagnostics logs just says "/diag_authentication.php: ERROR! Could not bind to LDAP server LDAP. Please check the bind credentials.". The logs also say "/diag_authentication.php: LDAP Debug: LDAP connection error flag: false" despite me enabling the "Set debug flag" in the Diagnostics / Authentication test page.
