Certificate Questions and Issues

dredhorse · Jan 20, 2017

Hi,

when you want to use AD and LDAP with LDAPS you need a certificate.

a) why can I only select Certificates which are imported to CA?
b) how / which certificate do I need to import?
c) Do I need a .crt .pem etc.?
d) Why do I need the private key?
e) how must the certificate look like text wise? Incl.

Code:

Certificate:
	Data:
		Version: 3 (0x2)
		Serial Number: 890192659530388930 (0xc5a9981e4f815c2)
	Signature Algorithm: sha256WithRSAEncryption

Or just

Code:

-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIIDFqZgeT4FcIwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNV
etc.....
KN3oI/wAR3iwalzGfHF1FBKGVK6h/R9q2KNmwolA1C7d13TfA5zstZfJDNTssEWg
OHOYGa8vuN/mkCkcJKOOmfGg953qRj4iU+rFSjT/BW5/VAHJtMsuPc9FIQ==
-----END CERTIFICATE-----

I want to use Zentyal as a LDAP source but get

Can't contact LDAP server, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

When I want to enable the service.

I imported the CA Certificate (without the private key) to CA and the server certificate (with the private key) into the web gui. Only the CA certificate is selectable in LDAP config.

Using FreeNAS-9.10.2-U1 (86c7ef5)

Regards

Don

Spearfoot · Jan 22, 2017

Does this thread (LDAP config - Certificate drop down list empty?) shed any light on your problem?

From a cursory reading, it seems to me that you're on the right track: you import the certificate from your LDAP server as a CA (System->CA) and then select that certificate in the LDAP dropdown.

Here are links to the appropriate sections in the documentation, in case you haven't already found them:

FreeNAS 9.3 docs, Section 5.9 CAs
FreeNAS 9.3 docs, Section 9. Directory Service

Good luck!

dredhorse · Jan 30, 2017

This pointed me in the right direction, together with a bug report telling a user to use openssl s_client -showcerts -connect ldap:636

Unfortunately this doesn't work when I run the command from the filer, the certificate I can copy doesn't give me access to ldaps as the authentication chain fails.

I guess I'm on the right path, I still find the documentation, the way certificates are handled, e.g. requesting a sequence number for the ca certificate lacking, in my opinion this is overly complicated, most other products prompt you with "do you want to accept the certificate" and that's it.

Regards

Don

Important Announcement for the TrueNAS Community.

Certificate Questions and Issues

dredhorse

Dabbler

Spearfoot

He of the long foot

dredhorse

Dabbler

Similar threads