Technical Tip: LDAPS/STARTTLS certificate issuer enforcement

Starting from FortiOS v7.4.4, the LDAPS/STARTTLS server certificate issuer has been enforced.

This means that the server certificate issuer (the root CA) needs to be installed on the FortiGate store, as it will otherwise cause an error in authentication.

Release Note (refer to Engineering case ID 949997).

fnbamd debug:

diagnose debug app fnbamd -1

[433] start_remote_auth-Total 1 server(s) to try 
[1881] handle_req-r=4
[1378] __ldap_tcps_connect-Start ldap conn timer.
[1666] __verify_cb-Cert error 20, unable to get local issuer certificate. Depth 0. Subject '/CN=ion-kvm88.labtest.local'
[1345] __ldap_tcps_connect-tcps_connect(10.192.11.88) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
[1642] __ldap_error-Ret 5, st = 0.
[1679] __ldap_error-
[1485] __ldap_tcps_close-closed.
[1567] __ldap_conn_stop-Stop ldap conn timer.

The 'certificate verify failed' error appears when the root CA is not installed on the FortiGate store.

To prevent this error, import the certificate (root CA) that signed the server certificate into the FortiGate store.

If it is not possible to find the System -> Certificates option in the GUI, it is necessary to enable Certificates under Features Visibility, then select Apply.

fnbadm debug:

[433] start_remote_auth-Total 1 server(s) to try
[1881] handle_req-r=4
[1378] __ldap_tcps_connect-Start ldap conn timer.
[1669] __verify_cb-Cert preverify ok. Depth 1. Subject '/DC=local/DC=labtest/CN=labtest-ION-KVM88-CA'
[1669] __verify_cb-Cert preverify ok. Depth 0. Subject '/CN=ion-kvm88.labtest.local'
[1378] __ldap_tcps_connect-Start ldap conn timer.
[1363] __ldap_tcps_connect-tcps_connect(10.192.11.88) is established. Current state: Connecting.
[1120] __ldap_auth_ctx_reset-
[984] __ldap_next_state-State: Connecting -> Admin Binding
[1378] __ldap_tcps_connect-Start ldap conn timer.
[1221] __ldap_rxtx-fd 10, state 2(Admin Binding)
[1223] __ldap_rxtx-Stop ldap conn timer.

In this output, after the import, check the server certificate (Depth 0) and the root CA (Depth 1) that signed the server certificate.

The error will go away, and LDAPS/STARTTLS authentications will start to work again.

On the LDAP configuration, there is nothing to be changed.

When using 'Secure Connection' with 'LDAPS' protocol, on several occasions, it is charged a different CA than the one it should import. For example, a CA with a different common name than the one the LDAP Server is sending to FortiGate. The following image shows that the connection was not successful, because the 'CA_Cert_1' has a different common name than it should have.

To find out which Root-CA should be imported in this field, it is necessary to perform a PCAP capture with port 636, using the Network Diagnostic GUI tool.

Once the capture is obtained, open it with Wireshark, go to the 'TLSv.1.X Server Hello, Certificate, Server key Exchange' package, go to the TLS layer, and go to the Certificate/issuer option. In this part, it is possible to validate the Common Name that the server is sending to FortiGate.

It is possible to extract the server certificate from the Wireshark capture when TLS 1.2 is used by following the steps outlined in the referenced article: Technical Tip: How to extract a certificate from a Wireshark capture.

 
Once the CA that the server sends to FortiGate is known, this CA must be searched in the LDAPS server and imported into FortiGate. After being validated in the FortiGate, it can be used for LDAPS authentication.

Note: There are times when, even after updating the server root certificate to the FortiGate certificate store, the authentication will fail due to an 'Unknown CA' error. In one case, the certificate was updated under the Local CA store instead of the Remote CA.

After reinstalling the root certificate, when the certificate was under the Remote CA, the authentication was successful.

As a result, make sure that the certificate is under the Remote CA in the certificate store. Additionally, ensure that the certificate is correctly downloaded as a CA from the authentication server.

The same behavior is also observed in FortiOS v7.6.x.

When Server Identity Check is enabled (optional), FortiGate validates that the LDAP server certificate matches the configured server value:

• If configured by IP, the certificate must contain the same IP in the SAN.
• If configured by Name/FQDN, it must match the CN or DNS SAN (ensure DNS resolution).

If not matched, LDAPS may fail with 'Can't contact LDAP server'. In this case, disable Server Identity Check to avoid LDAP authentication failure.

Note: If the issue persists, consider regenerating the certificates on the Customer LDAP server and re-import the certificate chain.

Related articles: