Hello, I have been struggling with getting [ldap_server_auto] to work with ssl port 636

it is unclear to me what cert(s) is(are) needed for ssl_cert_path and the private key ssl_key_path.

we have an Offline Root CA and two Sub Issuing CAs. i have these 3 certs in a single PEM file, and it is used for the [ad_client] section ssl_ca_certs_file=conf\SSL_Certs.pem. In the [ad_client] section i have transport=ldaps and port=363, and it works fine.

but i am confused what cert needs to go in the [ldap_server_auto] section. Can someone please help me with this? the Authentication Proxy Reference guide doesn’t have any specifics in it regarding this, and I have searched the forums and google on what is required. No luck!

here are the steps that i took

1. openssl.exe genrsa -out .\duo\duo.key 4096
2. openssl req -new -sha256 -key .\duo\duo.key -out .\duo\duo.csr -config .\duo\openssl.config
3. i then took the CSR to my Issuing CA (certssrv), requested a cert using the CSR and downloaded it as a Base64 P7B file
4. openssl pkcs7 -print_certs -in .\duo\certnew.p7b -out .\duo\duo.pem
5. i moved the PEM and KEY to the Auth Proxy, dropped them in the CONF folder and updated the authproxy.cfg file as follows:

ssl_port=636
ssl_key_path=duo.key
ssl_cert_path=duo.pem

6. restarted the Duo Auth service, which started fine. But when i go to my test instance of Confluence and mod the LDAP Config to point to the Auth Proxy, it fails to work with:

“Connection test failed. Response from the server:
duoldaps.domain.name:636; nested exception is javax.naming.CommunicationException: duoldaps.domain.name:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.■■■■■■■■■■■■■■■■■■■■ception: unable to find valid certification path to requested target]”

Please help. Are there any step by step explicit guides on this and what is needed?

Thank you!