Cert Problems with Directory Server & LetsEncrypts

Currently reading
Cert Problems with Directory Server & LetsEncrypts

I set up a wild card LetsEncypt cert using this using this tutorial: How to install and auto update Let's encrypt wildcard certs on Synology NAS with cloudflare DNS API :: William's blog
Worked like a dream. However, I'm still struggling to get things working quite right with with Directory Server.

For example... when I use the following command:


Bash:
curl ldaps://auth.nativeedgelandscape.com

I get this response:
Bash:
curl: (58) LDAP local: ERROR setting PEM CA cert: Can't contact LDAP server
(Same curl with ldap:// seems to work fine)

It seems Im having some issues with Active Directory Server handling the certificate correctly.

When I run this code:
Bash:
openssl s_client -host auth.redacteddomainname.com -port 636 -prexit -showcerts

The response ends in the message "Verify return code: 21 (unable to verify the first certificate)"
This is the full response (redacted):
Bash:
CONNECTED(00000005)

depth=0 CN = *.redacteddomainname.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2072 bytes and written 524 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: #######

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

closed

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2103 bytes and written 555 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: ###########

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

I noticed this in particular
Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

That makes me think something isn't quite right as I would assume this should be letsecrypt? Any thoughts?

Thanks!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Success! I now can login into Portainer, configured to use ldap, authenticating against Directory Server...
Replies
2
Views
370
How do I set Home directory with drive letter in the CSV file? Also, how do I set password parameters?
Replies
2
Views
2,793
I’m looking to implement directory server and join some computers to it. If the existing user name on...
Replies
0
Views
1,379
Hello, I want to create a user in a domain using RSAT (Remote Server Administration Tools on Windows 10)...
Replies
0
Views
1,463
On synology site, in this place: Synology Directory Server Package | Synology Inc. there is information...
Replies
0
Views
1,676
Look into Duo, I would think it would work with domain accounts as well. When the application is installed...
Replies
4
Views
7,722

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top