LDAP and SSL help please


#1

Hello, I have been struggling with getting [ldap_server_auto] to work with ssl port 636

it is unclear to me what cert(s) is(are) needed for ssl_cert_path and the private key ssl_key_path.

we have an Offline Root CA and two Sub Issuing CAs. i have these 3 certs in a single PEM file, and it is used for the [ad_client] section ssl_ca_certs_file=conf\SSL_Certs.pem. In the [ad_client] section i have transport=ldaps and port=363, and it works fine.

but i am confused what cert needs to go in the [ldap_server_auto] section. Can someone please help me with this? the Authentication Proxy Reference guide doesn’t have any specifics in it regarding this, and I have searched the forums and google on what is required. No luck!

here are the steps that i took

  1. openssl.exe genrsa -out .\duo\duo.key 4096
  2. openssl req -new -sha256 -key .\duo\duo.key -out .\duo\duo.csr -config .\duo\openssl.config
  3. i then took the CSR to my Issuing CA (certssrv), requested a cert using the CSR and downloaded it as a Base64 P7B file
  4. openssl pkcs7 -print_certs -in .\duo\certnew.p7b -out .\duo\duo.pem
  5. i moved the PEM and KEY to the Auth Proxy, dropped them in the CONF folder and updated the authproxy.cfg file as follows:

ssl_port=636
ssl_key_path=duo.key
ssl_cert_path=duo.pem

  1. restarted the Duo Auth service, which started fine. But when i go to my test instance of Confluence and mod the LDAP Config to point to the Auth Proxy, it fails to work with:

“Connection test failed. Response from the server:
duoldaps.domain.name:636; nested exception is javax.naming.CommunicationException: duoldaps.domain.name:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]”

Please help. Are there any step by step explicit guides on this and what is needed?

Thank you!


#2

Hi Cosmic_Ancestry.

The Confluence error seems to indicate that it can’t verify the issuer of the certificate you’re using to secure incoming LDAPS on the Authentication Proxy.

Try adding your issuing CA certs (the three that you have in the outbound connection [ad_client] config PEM) to the PEM you’re using with [ldap_server_auto]. Also ensure that the private key doesn’t require a password.

If this doesn’t work I suggest you contact our excellent Support team so one of them can work with you directly.

Thanks for trying Duo!