OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: 0xDEADC0DE on November 10, 2021, 09:51:42 am
-
I've installed 21.7.4 update yesterday and the OpenVPN clients with AD authentication cannot connect anymore.
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.
The following input errors were detected:
Authentication failed.
error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
ldap_error: Can't contact LDAP server
I have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?
-
System : Settings : General : Store intermediate
Try this ...
-
Thanks. That worked.
I didn't read it in the changelogs, is it new or was it changed?
-
New to fix Let's Encrypt / acme-client expiry breakage in default configuration.
All of this to not break old Android phones. Thanks a lot ;)
Cheers,
Franco
-
Old phones are old and there is a reason they should be dead and not working, especially when it comes to certificates. ;)
-
0xDEADC0DE
just for completeness, the mentioned method is not the only one. patch added (so you do not need to add intermediate certificates if you do not need it).
and yes LE with this whole story "let's ensure compatibility with ancient devices through an expired root" did a disservice to many (with all my love for them for what they do)
-
The patch:
opnsense-patch 898c1d5
... then reboot.
You can check LDAPS certificate chains using Duo's tool (https://help.duo.com/s/article/4207?language=en_US) or similar.
If your LDAPS server provides the Intermediate CA certificate with the Server Certificate when you connect, then it is NOT a requirement to import the Intermediate CA certificate into the store (at least for LDAP). Whether or not it is imported into the store becomes a matter of security / PKI policy implementation (in the case it is unneeded for any other purpose).
I think this is the sixth topic on this subject. Time to sticky it until next release?
-
I think the problem scope is rather limited. And the next release is today anyway.
Cheers,
Franco
-
... the next release is today anyway.
Sweet! I look forward to the official announcement.
Do you publish development milestones on a board somewhere?
-
We used to, but at the moment we are trying to tie this into github via "roadmap" label:
https://github.com/opnsense/core/issues?q=label%3Aroadmap+milestone%3A22.1
The process needs to be polished a lot, but we are not in a hurry. ;)
FWIW, the 21.7.5 release notes will tell a little bit about the 22.1-BETA1 release and new things in that upcoming release which are already implemented.
Cheers,
Franco
-
I don't really understand one thing.
Our servers only deliver the server certificate, no intermediate certificates. But in OPNsense we have the root, intermediate and server certificates imported. So what you say is that it should have worked already but it didn't.
-
@ 0xDEADC0DE
could you clarify the question?
if the server does not return the certificate chain (by the way, why?) then you may need to import intermediate certificates into the store
the mentioned fix only removes the inability to import some root certificates
-
if the server does not return the certificate chain (by the way, why?)...
Devs be cutting corners...! ;)