Notifications

2573 views

Description

Problem


Testing an LDAP Server connection on the instance and the connection test fails with the error:

ldaps://xxx.xxx.xxx.xxx:636 Could not find a valid certificate

 

Cause


How to set up certificates for LDAPS connections is discussed in this documentation: Certificates

Under Certificate trust:

By default, the instance trusts the Certificate Authority, or CA, for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false:

com.glide.communications.trustmanager_trust_all.

You may have already set com.glide.communications.trustmanager_trust_all to true, but are still seeing the Could not find a valid certificate error.

The cause may be the activation of the High Security Settings Plugin, or com.glide.high_security, which sets the following system property to true:

com.glide.communications.httpclient.verify_hostname

The description of this property is:

Verify hostname and certificate chain presented by remote SSL hosts. Set to true to protect against MITM attacks. Overrides the com.glide.communications.trustmanager_trust_all property.

 

Resolution


There are two ways to resolve this issue:

  1. Set the system property com.glide.communications.httpclient.verify_hostname to false, while keeping the com.glide.communications.trustmanager_trust_all property set to true. In this configuration, the system again makes the instance trust the Certificate Authority CA for a certificate. This ensures the instance accepts self-issued certificates.
  2. Upload the SSL certificate to the instance for the LDAP Server that has been issued by a trusted third party Certificate Authority, for example, a non-self-issued certificate, again following the documentation on Certificates referenced above:

Certificates

If there is a trusted third party signed certificate installed on the instance, it is possible to set both system properties to not accept self-issued certificates:

com.glide.communications.trustmanager_trust_all = false

and

com.glide.communications.httpclient.verify_hostname = true

Since com.glide.communications.httpclient.verify_hostname overrides com.glide.communications.trustmanager_trust_all, just setting com.glide.communications.httpclient.verify_hostname to true is actually sufficient. It does not matter if com.glide.communications.trustmanager_trust_all is set to true, if com.glide.communications.httpclient.verify_hostname is set to true, the instance does not accept self-issued certificates.

If the same error persists go to the LDAP Server record and check the "SSL" box if not already checked and save the change then try the "Test Connection" again.

Article Information

Last Updated:2019-08-02 21:20:11
Published:2019-07-15