pwm-container icon indicating copy to clipboard operation
pwm-container copied to clipboard
verified publisher icon fjudith

Doesn't trust Let's Encrypt certificates

Open BloodyIron opened this issue 3 years ago • 7 comments

When I try to get PWM to connect to my Samba AD DCs via ldaps on port 636, I get the following error:

Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request) fields: [unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request]

The certificate used is a Let's Encrypt certificate I just generated for blah.domain.com and *.blah.domain.com, which is expected to work. But I cannot figure out why this is failing.

When I tell PWM to import cert from server it spits out this error:

A certificate error has been encountered: unable to read server certificates from host=dc1.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request.

5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=dc1.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request) fields: [unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request]

===

I'm really not sure why this is failing, as the Samba AD DC server is configured to present the cert and CA, and it is.

BloodyIron avatar Dec 02 '22 05:12 BloodyIron

Hmm this might actually look to be this version of Java doesn't handle TLSv1.3 correctly. Can we get Java updated to support TLSv1.3 please?

BloodyIron avatar Dec 04 '22 04:12 BloodyIron

Yeah I have just confirmed that this problem does not exhibit when my Samba AD DCs present only TLSv1.2. So really do need TLSv1.3 support please!

BloodyIron avatar Dec 04 '22 05:12 BloodyIron

@fjudith does the new v2.0.5 image address Let's Encrypt and/or TLS v1.3 compatibility?

BloodyIron avatar Apr 10 '23 23:04 BloodyIron

Thank you for your feedback @BloodyIron,

I've been working for while and concluded those features are better handled by Reverse-Proxies like Traefik if you run Docker or Cert-Manager for Kubernetes.

The problem raises when you want to test locally. This might work only if you use DNS01 Challenge as it avoids Let's Encrypt to contact the server directly.

Considering your issue, it think integrating the Let's Encrypt CA certificaet in the default Java keystore should solve your issue.

fjudith avatar Apr 11 '23 03:04 fjudith

Why not have the public Let's Encrypt certs (root/otherwise) be added to the image for everyone out of the box? The issue is with PWM working against LDAPS, not the webGUI aspect. I had to have my authentication domain controllers down-grade from TLS v1.3 to v1.2 just so that PWM would actually work against it. That's a security problem, as I cannot use TLS v1.3 for any other system interfacing against the same authentication domain controllers.

BloodyIron avatar Apr 11 '23 16:04 BloodyIron

So can we get TLS v1.3 support for LDAPS please? I'm forced to turn a lot of things back to v1.2 just because of this one limitation, and this isn't going to go away.

BloodyIron avatar Nov 24 '23 20:11 BloodyIron

Still really do want TLS v1.3 support for LDAPS. Is this project going to get any more love? The last commit was a year ago. :(

BloodyIron avatar May 30 '24 17:05 BloodyIron