Description
This article describes how to resolve the error 'Can't contact LDAP server error:0A000086:SSL routines::certificate verify failed' while using remote sync rules for remote LDAP users.
Scope
FortiAuthenticator.
Solution
In this scenario, LDAPS is being used for the remote user database. The LDAP server is reachable and can be browsed using the LDAP bind user and the selected CA. However, when attempting to synchronize the remote sync rules, the process fails due to a certificate error.
RAW.logs:
Date=2025-11-19 time=11:26:22+0000 oid=5948 logid=30303 cat="Event" subcat="System" level="error" nas="" action="" status="" msg="Failed to sync (rule: LDAPSync) with TEST-AD: Unable to query remote LDAP server TEST-AD (test.net) for users to sync (rule LDAPSync): ldap_simple_bind_s failed: Can't contact LDAP server error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate)" user="" requestid=
Capture packets on the FortiAuthenticator to check for certificate-related errors and ensure that the LDAP server presents a valid certificate chain that is imported on the FortiAuthenticator.
Generally, if the certificate includes an intermediate CA or a certificate chain, all required certificates must be imported under Certificate Authorities -> Trusted CAs. Once all certificates in the chain are trusted, the issue should be resolved.
If the issue persists after importing the intermediate CAs, selecting All Trusted from the Trusted CA options under Secure Connection can also resolve the problem.
Related document:
