I recently set up a Duo Authentication Proxy server.
The primary authentication server supports plain authentication only, so I had to establish ldaps (or starttls) for the transport.
To do that, I have to set ssl_ca_certs_file to a path pointing to the PEM-encoded certificate from the server.
To do that, I fetched the certs with openssl (openssl.exe s_client -connect our.ldap.server:636 -showcerts), then copied and pasted the various certificate blocks into a text file and pointed ssl_ca_certs_file at that file.
This all worked.
Today, I was working on automating this process, because when that cert is changed out we’d have to update the cert that the ssl_ca_certs_file setting points to. Otherwise Duo wouldn’t work and we’d be locked out of accessing things. At least, that’s what I thought.
In my testing, I found out that ssl_ca_certs_file doesn’t seem to do anything. The connectivity tool will check to see if the file is there (and accessible). It will throw an error if you specify starttls or ldaps for tranport and do not specify ssl_ca_certs_file , and it will throw an error if you specify ssl_ca_certs_file but the file you point to does not exist (or is inaccessible).
It does not seem to check the contents of the file, or check the file against the certificate the server presents.
Similarly, when actually trying to log in, everything works even if ssl_ca_certs_file points to an empty text file, or a text file with random data in it.
Yes, I’m restarting the DuoAuthProxy service after making changes to the ssl_ca_certs_file that Duo is looking at.
Is there something I’m missing?