Cert Problems with Directory Server & LetsEncrypts

[karpadiem]

I set up a wild card LetsEncypt cert using this using this tutorial: How to install and auto update Let's encrypt wildcard certs on Synology NAS with cloudflare DNS API :: William's blog
Worked like a dream. However, I'm still struggling to get things working quite right with with Directory Server.

For example... when I use the following command:

curl ldaps://auth.nativeedgelandscape.com

I get this response:

curl: (58) LDAP local: ERROR setting PEM CA cert: Can't contact LDAP server

(Same curl with ldap:// seems to work fine)

It seems Im having some issues with Active Directory Server handling the certificate correctly.

When I run this code:

openssl s_client -host auth.redacteddomainname.com -port 636 -prexit -showcerts

The response ends in the message "Verify return code: 21 (unable to verify the first certificate)"
This is the full response (redacted):

CONNECTED(00000005)

depth=0 CN = *.redacteddomainname.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = *.redacteddomainname.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2072 bytes and written 524 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: #######

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

closed

---

Certificate chain

0 s:/CN=*.redacteddomainname.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

~~~~~ Redacted ~~~~~

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.redacteddomainname.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

---

SSL handshake has read 2103 bytes and written 555 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : #######

    Session-ID: ########

    Session-ID-ctx:

    Master-Key: ###########

    Start Time: 1574893768

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

I noticed this in particular

Acceptable client certificate CA names

/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA

That makes me think something isn't quite right as I would assume this should be letsecrypt? Any thoughts?

Thanks!

 

[karpadiem]

Just thought I'd give this a bump to see if anyone had insight.

 

[m0nji]

Hi karpadiem,
did you find a solution fort this?

 

[AzureMurph]

Just thought I'd give this a bump to see if anyone had insight.

Ping me and I can spend sometime going through what you are trying to do.
I've spent literally, the past two weeks diddling around with certificates for this.