LDAP search fails with error: ssl3_get_server_certificate:certificate verify failed over port 636

By esupport posted Nov 09, 2016 07:02 PM

  
Problem:

LDAP search fails with the below error:

 

2016-10-07 14:18:52,822    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:ad2012.aruba.com
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: administrator@jacobsenconstruction.com bind to ad2012.aruba.com:636 failed: Can't contact LDAP server
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2016-10-07 14:18:52,826    [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

 

The intermediate CA and root CA of LDAP/AD server is included in the trust list of ClearPass, yet ClearPass fails to verify the certificate.



Diagnostics:

While doing a LDAP search over port 636, it was observed that ClearPass failed to establish a TLS session with LDAP/AD server with Unknown CA error

 

Confirmed that the intermediate and root CA of LDAP/AD server is under the trust list of the ClearPass server. The trust list of ClearPass can be viewed by navigating to Administration->Certificates->Trust list as shown below:

 

 

 



Solution

From 6.6 version, it is required to import the server certificate of AD/LDAP server in addition to intermediate and root CA into the trust list of ClearPass server to do an LDAP search over port 636(AD over SSL).

 

After importing the server certificate of AD/LDAP server into the trust list of ClearPass, ClearPass was able to establish TLS session with LDAP/AD server over port 636 for LDAP search.

1 comment
4 views

Comments

Jun 17, 2020 11:46 AM

Hi Tim,

 

I have similar problem. I can browse through Azure AD fine But when eap-tls connection request come from a client, it fails with same error as this article. Server uses wildcard cert. i Can confirm it is in trust list.

 

Just wondering what else might be causing this issue, any ideas?