Cert Problems with Directory Server & LetsEncrypts

Currently reading
Cert Problems with Directory Server & LetsEncrypts

I set up a wild card LetsEncypt cert using this using this tutorial: How to install and auto update Let's encrypt wildcard certs on Synology NAS with cloudflare DNS API :: William's blog
Worked like a dream. However, I'm still struggling to get things working quite right with with Directory Server.

For example... when I use the following command:


Bash:
curl ldaps://auth.nativeedgelandscape.com

I get this response:
Bash:
curl: (58) LDAP local: ERROR setting PEM CA cert: Can't contact LDAP server
(Same curl with ldap:// seems to work fine)

It seems Im having some issues with Active Directory Server handling the certificate correctly.

When I run this code:
Bash:
openssl s_client -host auth.redacteddomainname.com -port 636 -prexit -showcerts

The response ends in the message "Verify return code: 21 (unable to verify the first certificate)"
This is the full response (redacted):
Bash:
CONNECTED(00000005)

depth=0 CN = *.redacteddomainname.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2072 bytes and written 524 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: #######

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

closed

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2103 bytes and written 555 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: ###########

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

I noticed this in particular
Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

That makes me think something isn't quite right as I would assume this should be letsecrypt? Any thoughts?

Thanks!
 
22
7
NAS
DSM412
Operating system
  1. Linux
  2. Windows
Just thought I'd give this a bump to see if anyone had insight. :)

Ping me and I can spend sometime going through what you are trying to do.
I've spent literally, the past two weeks diddling around with certificates for this.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

On synology site, in this place: Synology Directory Server Package | Synology Inc. there is information...
Replies
0
Views
568
Look into Duo, I would think it would work with domain accounts as well. When the application is installed...
Replies
4
Views
3,427
Thanks for your investigations so far! Today, I did no see any failure in my side so far, however, I did...
Replies
7
Views
3,917
  • Locked
This was just confirmed on the Berlin Syno2020
Replies
3
Views
5,934

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top