I set up a wild card LetsEncypt cert using this using this tutorial: How to install and auto update Let's encrypt wildcard certs on Synology NAS with cloudflare DNS API :: William's blog
Worked like a dream. However, I'm still struggling to get things working quite right with with Directory Server.
For example... when I use the following command:
I get this response:
(Same curl with ldap:// seems to work fine)
It seems Im having some issues with Active Directory Server handling the certificate correctly.
When I run this code:
The response ends in the message "Verify return code: 21 (unable to verify the first certificate)"
This is the full response (redacted):
I noticed this in particular
That makes me think something isn't quite right as I would assume this should be letsecrypt? Any thoughts?
Thanks!
Worked like a dream. However, I'm still struggling to get things working quite right with with Directory Server.
For example... when I use the following command:
Bash:
curl ldaps://auth.nativeedgelandscape.com
I get this response:
Bash:
curl: (58) LDAP local: ERROR setting PEM CA cert: Can't contact LDAP server
It seems Im having some issues with Active Directory Server handling the certificate correctly.
When I run this code:
Bash:
openssl s_client -host auth.redacteddomainname.com -port 636 -prexit -showcerts
The response ends in the message "Verify return code: 21 (unable to verify the first certificate)"
This is the full response (redacted):
Bash:
CONNECTED(00000005)
depth=0 CN = *.redacteddomainname.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.redacteddomainname.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.redacteddomainname.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=*.redacteddomainname.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
~~~~~ Redacted ~~~~~~
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.redacteddomainname.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Acceptable client certificate CA names
/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA
---
SSL handshake has read 2072 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : #######
Session-ID: ########
Session-ID-ctx:
Master-Key: #######
Start Time: 1574893768
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
---
Certificate chain
0 s:/CN=*.redacteddomainname.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
~~~~~ Redacted ~~~~~
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.redacteddomainname.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Acceptable client certificate CA names
/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA
---
SSL handshake has read 2103 bytes and written 555 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : #######
Session-ID: ########
Session-ID-ctx:
Master-Key: ###########
Start Time: 1574893768
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
I noticed this in particular
Acceptable client certificate CA names
/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA
That makes me think something isn't quite right as I would assume this should be letsecrypt? Any thoughts?
Thanks!