510 views

Connect to an LDAP Server Fails With: "Could not find a valid certificate"



Problem


Testing an LDAP Server connection on the instance and the connection test fails with the error:

ldaps://xxx.xxx.xxx.xxx:636 Could not find a valid certificate

 

Cause


How to setup certificates for LDAPS connections is discussed in this documentation:

Certificates

Under Certificate trust:

By default, the instance trusts the Certificate Authority, or CA, for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false:

com.glide.communications.trustmanager_trust_all.

You may have already set com.glide.communications.trustmanager_trust_all to true, but are still seeing the Could not find a valid certificate error.

The cause may be the activation of the High Security Settings Plugin, or com.glide.high_security, which sets the following system property to true:

com.glide.communications.httpclient.verify_hostname

The description of this property is:

Verify hostname and certificate chain presented by remote SSL hosts. Set to true to protect against MITM attacks. Overrides the com.glide.communications.trustmanager_trust_all property.

 

Resolution


There are two ways to resolve this issue:

  1. Set the system property com.glide.communications.httpclient.verify_hostname to false, while keeping the com.glide.communications.trustmanager_trust_all property set to true. In this configuration, the system again makes the instance trust the Certificate Authority CA for a certificate. This ensures the instance accepts self-issued certificates.
  2. Upload the SSL certificate to the instance for the LDAP Server that has been issued by a trusted third party Certificate Authority, for example a a non-self-issued certificate, again following the documentation on Certificates referenced above:

Certificates

If there is a trusted third party signed certificate installed on the instance, it is possible to set both system properties to not accept self-issued certificates:

com.glide.communications.trustmanager_trust_all = false

and

com.glide.communications.httpclient.verify_hostname = true

Since com.glide.communications.httpclient.verify_hostname overrides com.glide.communications.trustmanager_trust_all, just setting com.glide.communications.httpclient.verify_hostname to true is actually sufficient. It does not matter if com.glide.communications.trustmanager_trust_all is set to true, if com.glide.communications.httpclient.verify_hostname is set to true, the instance does not accept self-issued certificates.

Article Information

Last Updated:2018-01-25 08:09:26
Published:2017-11-10