Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with SSL Certificates After Update from 2.6 to 2.7

    HA/CARP/VIPs
    1
    1
    381
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wixaw
      last edited by

      Hello,

      I'm seeking your assistance following a failed update from version 2.6 to 2.7. I'm using two pfSense instances as HAProxy load balancers for openldap-server: lb1.domain.com (restored from a snapshot) and lb2.domain.com (still running 2.7 for testing purposes). The problem lies with SSL certificates but both servers have identical configurations.

      When I run the command 'openssl s_client -connect lb1.domain.com:636', I get the following result:

      CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify return:1
---
Certificate chain
0 s:/C=FR/ST=Occitanie/O=UNIVERSITE TOULOUSE III - PAUL SABATIER/CN=*.domain.com
 i:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
1 s:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
---

Start Time: 1696410343
Timeout: 300 (sec)
Verify return code: 0 (ok)

      And when I execute 'openssl s_client -connect lb2.domain.com:636,' I receive the following result:

      CONNECTED(00000003)
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Occitanie/O=UNIVERSITE TOULOUSE III - PAUL SABATIER/CN=*.domain.com
   i:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
---

Start Time: 1696413058
Timeout: 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

      It appears that the distributed chain is different. Your assistance in resolving this issue would be greatly appreciated.

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.