Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
AuthAD and Authldap not working with SSL - Certificate trouble
Avatar
ViscOtt #1
Member for 2 months · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: AuthAD and Authldap not working with SSL - Certificate trouble
So I've been fighting with this for hours and finally got to a point I can't progress past anymore. I'm trying to integrate logins through our Active Directory, I can get it to work on normal 389 port but we need 636 or 3269 for security reasons.

Looking at the logs, it passes the LDAPS connection but stops at the SSLv3/TLS client hello. Here is a snippet of the error log:

ldap_connect_to_host: Trying SERVER.IP:636 //removed ip
ldap_pvt_connect: fd: 1512 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: /CN=d.domain.d.d, issuer: /DC=d/DC=d/DC=domain/CN=Account //redacted
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).

Also on the domain controller there is an error in event viewer saying:
The certificate chain was issued by an authority that is not trusted.


This obviously points to a certificate issue but I'm not sure how to fix it. The site has a generic "www.example.com" certificate. We have a windows CA I could possibly create a certificate through. I understand certificates a little but that's about it.

It's installed and running on a Windows 2019 server with apache and php. I basically used the Bitnami installer on a fresh server.

Any help would be greatly appreciated, thanks!
Avatar
schplurtz (Moderator) #2
Member since Nov 2009 · 518 posts · Location: France, Finistère
Group memberships: Global Moderators, Members
Show profile · Link to this post
Hi,

TLS certificate verification: depth: 0, err: 20, subject: /CN=d.domain.d.d, issuer: /DC=d/DC=d/DC=domain/CN=Account //redacted
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
the TLS implementation on your DokuWiki server does not trust the authority that signed the LDAP/AD certificate.

The solution is to add the root CA of the AD cert (or at least its issuer cert) to the list of trusted CA on the DouWiki server. I don't know how you do that.

Please note that certificates were also invented so that clients are sure they connect to the right server. The name embedded in the certificate CN and SAN fields must match the name of the server. This means :
the ad server must use a correct cert, otherwise DW won't be able to connect to it.
the dw HTTPS server must use a correct cert, otherwise browsers won't be able to connect, or will at least show a warning "This site is probably dangerous"
Avatar
ViscOtt #3
Member for 2 months · 2 posts
Group memberships: Members
Show profile · Link to this post
That's kind of what I figured, just not sure how either.

Our AD server certificate has that server's FQDN as the CN and SAN so it should be correct.

The DW HTTPS certificate is a generic one so it does give us a warning.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2020-04-04, 12:11:20 (UTC +02:00)