Connect to an LDAP Server Fails With: "Could not find a valid certificate"
Problem
Testing an LDAP Server connection on the instance and the connection test fails with the error:
ldaps://xxx.xxx.xxx.xxx:636 Could not find a valid certificate
Cause
How to setup certificates for LDAPS connections is discussed in this documentation:
Under Certificate trust:
By default, the instance trusts the Certificate Authority, or CA, for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false:
com.glide.communications.trustmanager_trust_all.
You may have already set com.glide.communications.trustmanager_trust_all to true, but are still seeing the Could not find a valid certificate error.
The cause may be the activation of the High Security Settings Plugin, or com.glide.high_security, which sets the following system property to true:
com.glide.communications.httpclient.verify_hostname
The description of this property is:
Verify hostname and certificate chain presented by remote SSL hosts. Set to true to protect against MITM attacks. Overrides the com.glide.communications.trustmanager_trust_all property.
Resolution
There are two ways to resolve this issue:
- Set the system property com.glide.communications.httpclient.verify_hostname to false, while keeping the com.glide.communications.trustmanager_trust_all property set to true. In this configuration, the system again makes the instance trust the Certificate Authority CA for a certificate. This ensures the instance accepts self-issued certificates.
- Upload the SSL certificate to the instance for the LDAP Server that has been issued by a trusted third party Certificate Authority, for example a a non-self-issued certificate, again following the documentation on Certificates referenced above:
If there is a trusted third party signed certificate installed on the instance, it is possible to set both system properties to not accept self-issued certificates:
com.glide.communications.trustmanager_trust_all = false
and
com.glide.communications.httpclient.verify_hostname = true
Since com.glide.communications.httpclient.verify_hostname overrides com.glide.communications.trustmanager_trust_all, just setting com.glide.communications.httpclient.verify_hostname to true is actually sufficient. It does not matter if com.glide.communications.trustmanager_trust_all is set to true, if com.glide.communications.httpclient.verify_hostname is set to true, the instance does not accept self-issued certificates.
If the same error persists go to the LDAP Server record and check the "SSL"box if not already checked and save the change then try the "Test Connection" again.