Bug #19416
closed
Unable to verify LDAPS certificate
Description
When trying to connect to a Windows Active Directory with LDAP over SSL (LDAPS), the connection fails due to not being able to verify the certificate. The root certificate have been added as a trusted CA on the Foreman server.
Guides and tips from the following issues and documentation have been tried:
- #10139 - http://projects.theforeman.org/issues/2435
- #9858 - http://projects.theforeman.org/issues/9858
- https://theforeman.org/manuals/1.14/index.html#4.1.1LDAPAuthentication
Nothing changes the outcome when trying to connect to the AD server using LDAPS, however no problem with LDAP.
Communication with LDAPS is working when disabling the certificate verification in the Foreman configuration:
/usr/share/foreman/app/models/auth_sources/auth_source_ldap.rbChanging VERIFY_PEER to VERIFY_NONE allows communication with LDAPS.
93 { :method => :simple_tls, :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_PEER / NONE } }
System information:
- Ubuntu 16.04 Xenial
- Puppet version 4.9.2
- Foreman version 1.12.4
- Foreman installation guide used: https://marcusit.com/setting-up-puppet-and-foreman-on-ubuntu-16-04-part-i/
Files
Updated by Marek Hulán over 7 years ago
could you double check that you installed the certificate of a CA that you (should) see when running
openssl s_client -showcerts -connect ad_host:port
we're using standard openssl verification so it's very likely something with the configuration
Updated by Marek Hulán over 7 years ago
- Project changed from Website to Foreman
- Category set to Authentication
Updated by Sindre Grindvoll over 7 years ago
Thanks for the quick reply!
The output verifies that the correct CA is installed.
Updated by Karli Sjöberg over 7 years ago
Sindre Grindvoll wrote:
Thanks for the quick reply!
The output verifies that the correct CA is installed.
I have just solved this problem myself and thought of opening a new issue but found this open and didn´t want to spam issues so I'm adding to this instead, even though it might not be related to your situation, apologies in advance:)
I had also added my CA to the system´s root bundle and restarted apache but couldn´t get it going either, until I edited the previously mentioned file "/usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb" like this:
########
--- /usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb 2017-05-17 21:30:45.804696000 0200
++ /usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb 2017-05-17 21:31:27.883089000 +0200@ -95,7 +95,7 @
########
def encryption_config
return nil unless tls
- { :method => :simple_tls, :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
+ { :method => :simple_tls, :tls_options => { :ca_file => "/usr/local/etc/ssl/cert.pem", :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
enddef ldap_con(login = nil, password = nil)After another restart of apache, it worked like a charm!
@Marek Hulán
My Foreman server is running on FreeBSD, which is why the CA bundle is called like that. What´s it called in other distros like CentOS, Debian and so forth? Would it be possible to ifdef based on operatingsystem what "tls_options" becomes, we could just add exceptions to the default based on that? Would that be an acceptable solution? I´m just thinking out loud for the sake of better platform support.
Best Regards
Karli Sjöberg
Updated by Karli Sjöberg over 7 years ago
Hi again!
I got inspired and made a patch that adjusts "tls_options" if running on FreeBSD, plus that I forgot to format the patch in my previous post as "code" so it looked weird, a patch file is better. Tested with Foreman 1.14.1.
/K
Updated by Marek Hulán over 7 years ago
Thanks Karli, could you please open a PR with the patch at https://github.com/theforeman/foreman? I think it would get accepted. If you're unsure about how to do it, please see https://theforeman.org/contribute.html#SubmitPatches
Updated by Karli Sjöberg over 7 years ago
Marek Hulán wrote:
Thanks Karli, could you please open a PR with the patch at https://github.com/theforeman/foreman? I think it would get accepted. If you're unsure about how to do it, please see https://theforeman.org/contribute.html#SubmitPatches
Absolutely, here you have it:
https://github.com/theforeman/foreman/pull/4539
Thank you for the links, I don´t do this often enough to remember it:)
/K
Updated by Karli Sjöberg over 7 years ago
Hello again!
After discussing it with a couple of developers, I decided to scrap the PR, it isn´t needed actually. Apparently, in FreeBSD, there are several CA bundles and I added my CA to one that ruby doesn´t look in:)
@Sindre Grindvoll
I wrote this script that prints ruby´s CA settings:
require "openssl"
puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE
- sudo -u foreman ruby /usr/share/foreman/test_ssl.rb
Then you will know what file you need to add your CA to.
Best Regards
Karli Sjöberg
Updated by Sindre Grindvoll over 7 years ago
Amazing response to this issue! Thank you so much guys.
I havn't had the oportunity to continue the troubleshooting for a little while, but will try out the fix next week!
Updated by
Updated by Sindre Grindvoll over 7 years ago
I tried out your script which returns the default keystore in use by Ruby. The funny thing, is that the keystore the script returns doesn't exist on the VM I'm running this on. This means that ruby can't find the CA when it tries to verify the LDAPS connection. Unfortunately I don't have time to do further troubleshooting at the moment, but I do think this is the answer to my problems.