pfSense

The scenario is as follows. pfsense-01 is using pfsense-02/haproxy with ssl-termination as an authentication server ldap frontend. This does NOT work however -> pfsense-02/haproxy reports an SSL handshake issue. Other services (Confluence, JIRA, keycloak, splunk) are happily using the pfsense-02/haproxy ldap frontend without problems.

I have tried to use all the CA's in the chain as well as the Global CA chain. This is an Entrust wildcard certificate. All intermediates are located in both pfsense-01 and pfsense-02. No combination (Entrust L1K, G2 nor Global CA chain) in pfsense-01 works.

I have tried SSL encrypted and STARTTLS in pfsense-01 as well as different options in pfsense-02/haproxy (tcp, ssl/https) but the result is the same error message.

Pfsense-01 authentication directly to the underlying ldap-server works. But as I want to utilize an ldap-cluster, I need this to go through the pfsense-02/haproxy.

I also tried to solve the issue as follows:
I requested a new cert with a SAN.

DNS Name=*.mintsecurity.fi
DNS Name=mintsecurity.fi
DNS Name=ldap.mintsecurity.fi

This made a change in my desktop client (ldapadmin, freeware who previously complaining about the wildcard cert) but made no change in this communication between pfsense-01 and pfsense-02/haproxy.

I think I have covered everything that is mentioned here https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html#Debugging_LDAP

I think I have verified that the "Entrust Certification Authority - L1K" is not in /usr/local/share/certs/ca-root-nss.crt. Hence Global CA list will never work with the Entrust certs. Choosing any of the intermediates in the chain does not work either, as explained previously.

I have tried to look at https://github.com/pfsense/pfsense/blob/master/src/etc/inc/auth.inc to understand where the checks are actually made. I am however not a programmer nor very savvy at reading php code. So I cannot say where things really go wrong. But they do.