could you double check that you installed the certificate of a CA that you (should) see when running

openssl s_client -showcerts -connect ad_host:port

we're using standard openssl verification so it's very likely something with the configuration

Thanks for the quick reply!

The output verifies that the correct CA is installed.

Sindre Grindvoll wrote:

Thanks for the quick reply!

The output verifies that the correct CA is installed.

I have just solved this problem myself and thought of opening a new issue but found this open and didn´t want to spam issues so I'm adding to this instead, even though it might not be related to your situation, apologies in advance:)

I had also added my CA to the system´s root bundle and restarted apache but couldn´t get it going either, until I edited the previously mentioned file "/usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb" like this: ########
--- /usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb 2017-05-17 21:30:45.804696000 0200
++ /usr/local/share/foreman/app/models/auth_sources/auth_source_ldap.rb 2017-05-17 21:31:27.883089000 +0200
@ -95,7 +95,7 @ ########

def encryption_config
     return nil unless tls
-    { :method => :simple_tls, :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
+    { :method => :simple_tls, :tls_options => { :ca_file => "/usr/local/etc/ssl/cert.pem", :verify_mode => OpenSSL::SSL::VERIFY_PEER } }
   end

def ldap_con(login = nil, password = nil)

After another restart of apache, it worked like a charm!

@Marek Hulán
My Foreman server is running on FreeBSD, which is why the CA bundle is called like that. What´s it called in other distros like CentOS, Debian and so forth? Would it be possible to ifdef based on operatingsystem what "tls_options" becomes, we could just add exceptions to the default based on that? Would that be an acceptable solution? I´m just thinking out loud for the sake of better platform support.

Best Regards
Karli Sjöberg

Thanks Karli, could you please open a PR with the patch at https://github.com/theforeman/foreman? I think it would get accepted. If you're unsure about how to do it, please see https://theforeman.org/contribute.html#SubmitPatches

Marek Hulán wrote:

Thanks Karli, could you please open a PR with the patch at https://github.com/theforeman/foreman? I think it would get accepted. If you're unsure about how to do it, please see https://theforeman.org/contribute.html#SubmitPatches

Absolutely, here you have it:
https://github.com/theforeman/foreman/pull/4539

Thank you for the links, I don´t do this often enough to remember it:)

/K

Hello again!

After discussing it with a couple of developers, I decided to scrap the PR, it isn´t needed actually. Apparently, in FreeBSD, there are several CA bundles and I added my CA to one that ruby doesn´t look in:)

@Sindre Grindvoll
I wrote this script that prints ruby´s CA settings:

1. sudo -u foreman ruby /usr/share/foreman/test_ssl.rb

Then you will know what file you need to add your CA to.

Best Regards
Karli Sjöberg

Amazing response to this issue! Thank you so much guys.

I havn't had the oportunity to continue the troubleshooting for a little while, but will try out the fix next week!

I tried out your script which returns the default keystore in use by Ruby. The funny thing, is that the keystore the script returns doesn't exist on the VM I'm running this on. This means that ruby can't find the CA when it tries to verify the LDAPS connection. Unfortunately I don't have time to do further troubleshooting at the moment, but I do think this is the answer to my problems.