Connect to an LDAP Server Fails With: "Could not find a valid certificate"


Testing an LDAP Server connection on the instance and the connection test fails with the error:

ldaps:// Could not find a valid certificate



How to setup certificates for LDAPS connections is discussed in this documentation:


Under Certificate trust:

By default, the instance trusts the Certificate Authority, or CA, for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false:


You may have already set com.glide.communications.trustmanager_trust_all to true, but are still seeing the Could not find a valid certificate error.

The cause may be the activation of the High Security Settings Plugin, or com.glide.high_security, which sets the following system property to true:


The description of this property is:

Verify hostname and certificate chain presented by remote SSL hosts. Set to true to protect against MITM attacks. Overrides the com.glide.communications.trustmanager_trust_all property.



There are two ways to resolve this issue:

  1. Set the system property com.glide.communications.httpclient.verify_hostname to false, while keeping the com.glide.communications.trustmanager_trust_all property set to true. In this configuration, the system again makes the instance trust the Certificate Authority CA for a certificate. This ensures the instance accepts self-issued certificates.
  2. Upload the SSL certificate to the instance for the LDAP Server that has been issued by a trusted third party Certificate Authority, for example a a non-self-issued certificate, again following the documentation on Certificates referenced above:


If there is a trusted third party signed certificate installed on the instance, it is possible to set both system properties to not accept self-issued certificates:

com.glide.communications.trustmanager_trust_all = false


com.glide.communications.httpclient.verify_hostname = true

Since com.glide.communications.httpclient.verify_hostname overrides com.glide.communications.trustmanager_trust_all, just setting com.glide.communications.httpclient.verify_hostname to true is actually sufficient. It does not matter if com.glide.communications.trustmanager_trust_all is set to true, if com.glide.communications.httpclient.verify_hostname is set to true, the instance does not accept self-issued certificates.

Article Information

Last Updated:2018-11-16 06:05:27