Hello, I have been struggling with getting [ldap_server_auto] to work with ssl port 636
it is unclear to me what cert(s) is(are) needed for ssl_cert_path and the private key ssl_key_path.
we have an Offline Root CA and two Sub Issuing CAs. i have these 3 certs in a single PEM file, and it is used for the [ad_client] section ssl_ca_certs_file=conf\SSL_Certs.pem. In the [ad_client] section i have transport=ldaps and port=363, and it works fine.
but i am confused what cert needs to go in the [ldap_server_auto] section. Can someone please help me with this? the Authentication Proxy Reference guide doesn’t have any specifics in it regarding this, and I have searched the forums and google on what is required. No luck!
here are the steps that i took
- openssl.exe genrsa -out .\duo\duo.key 4096
- openssl req -new -sha256 -key .\duo\duo.key -out .\duo\duo.csr -config .\duo\openssl.config
- i then took the CSR to my Issuing CA (certssrv), requested a cert using the CSR and downloaded it as a Base64 P7B file
- openssl pkcs7 -print_certs -in .\duo\certnew.p7b -out .\duo\duo.pem
- i moved the PEM and KEY to the Auth Proxy, dropped them in the CONF folder and updated the authproxy.cfg file as follows:
- restarted the Duo Auth service, which started fine. But when i go to my test instance of Confluence and mod the LDAP Config to point to the Auth Proxy, it fails to work with:
“Connection test failed. Response from the server:
duoldaps.domain.name:636; nested exception is javax.naming.CommunicationException: duoldaps.domain.name:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]”
Please help. Are there any step by step explicit guides on this and what is needed?