Connect to an LDAP Server Fails With: "Could not find a valid certificate"
Problem
Testing an LDAP Server connection on the instance and the connection test fails with the error:
ldaps://xxx.xxx.xxx.xxx:636 Could not find a valid certificate
Cause
How to setup certificates for LDAPS connections is discussed in this documentation:
Under Certificate trust:
By default, the instance trusts the Certificate Authority, or CA, for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false:
com.glide.communications.trustmanager_trust_all.
You may have already set com.glide.communications.trustmanager_trust_all to true, but are still seeing the Could not find a valid certificate error.
The cause may be the activation of the High Security Settings Plugin, or com.glide.high_security, which sets the following system property to true:
com.glide.communications.httpclient.verify_hostname
The description of this property is:
Verify hostname and certificate chain presented by remote SSL hosts. Set to true to protect against MITM attacks. Overrides the com.glide.communications.trustmanager_trust_all property.
Resolution
There are two ways to resolve this issue:
- Set the system property com.glide.communications.httpclient.verify_hostname to false, while keeping the com.glide.communications.trustmanager_trust_all property set to true. In this configuration, the system again makes the instance trust the Certificate Authority CA for a certificate. This ensures the instance accepts self-issued certificates.
- Upload the SSL certificate to the instance for the LDAP Server that has been issued by a trusted third party Certificate Authority, for example a a non-self-issued certificate, again following the documentation on Certificates referenced above:
If there is a trusted third party signed certificate installed on the instance, it is possible to set both system properties to not accept self-issued certificates:
com.glide.communications.trustmanager_trust_all = false
and
com.glide.communications.httpclient.verify_hostname = true
Since com.glide.communications.httpclient.verify_hostname overrides com.glide.communications.trustmanager_trust_all, just setting com.glide.communications.httpclient.verify_hostname to true is actually sufficient. It does not matter if com.glide.communications.trustmanager_trust_all is set to true, if com.glide.communications.httpclient.verify_hostname is set to true, the instance does not accept self-issued certificates.