Hi threre.
With the Firmware update SFOS 18.5.1 MR-1-Build326 we ran into trouble with our LDAP authentication.
Our Domain controllers are using Let's Encrypt certificates to allow secure LDAP access (LDAPS).
The problem seems to be, that the certificate installed at /static/system/certificate/Lets Encrypt ISRG Root X1.pem is signed by the by now expired DST Root CA X3 (see also https://letsencrypt.org/certificates/#root-certificates).
You can test it, by logging into the advanced shell, and executing openssl s_client -connect myserver.mydomain.tld:636:
With the pre-installed certificate you get an error:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
When you replace the contents of the certificate file with the self signed version of the ISRG Root X1 certificate, the connection works again:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = myserver.mydomain.tld
verify return:1
With this, the LDAP authentication is possible again.
Of course, as a quick fix you can simply disable the certificate validation in the LDAP server settings:
I hope, this workaround helps others running into the same problem.
Cheers
Alex
This thread was automatically locked due to age.
