Bug #8020
closedCan't STARTTLS to LDAP server since 2.4.0
0%
Description
This setup was running fine until my upgrade to 2.4.0 (and 2.4.1). I'm running an OpenLDAP server (on EL6). This LDAP server is using a Let's Encrypt certificate. The intermediate certificate is correctly sent by the server. On PfSense, I'm also using a Let's Encrypt certificate (obtains with the ACME addon), which has automatically created the "Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US" CA in the certificate manager. This CA is set as the trusted CA of the LDAP server on PfSense (User manager -> Authentication servers)
The LDAP server is configured to use TCP - STARTTLS
Since I've upgraded to 2.4.0, all I get in the system logs is:
/system_authservers.php: ERROR! ldap_get_user_ous() could not STARTTLS to server .
If I switch to SSL, it's still can't connect, but the error message is different:
/system_authservers.php: ERROR! ldap_get_user_ous() could not bind anonymously to server .
From the command line, I can use ldapsearch with STARTTLS without problem
ldapsearch -x -ZZ -H ldap://ldap.domain.com -b dc=domain,dc=com
[...]
So it looks like something changed in the way the certificate chain is verified. I've also tried to import the intermediate certificate and set this one as trusted CA for this LDAP server, but still the same issue