Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnSmith33
New Contributor

Created on ‎08-15-2025 02:24 AM

LDAP cert Configuration error

 

Hello,

 

I'm trying to setup an ldaps srv on my fortigate 50E (6.2.17) and it works with the ip without cert and i can save but i would like it to work with a cert 

image.png

when i try with the fqdn, i can't save and shows invalid hostname (i can ping the fqdn from the fw) even if the connectivity test works and i can browse the distinguised name

 

image_2025-08-15_111328759.png

 

then when i try to enable the secure connection and add the CA cert (with the fqdn as the cn), the connectivity test still works, i can still browse the distinguished name but when i try to validate, it disable the secure connexion with the cert and i get an invalid hostname error

 

image.pngimage.png

even if i can ping this hostname and browse the dn and everything...

 

Does someone knows why it could do that ? 

 

Best Regards

John

 

 

 

 

 

 

Labels:
385
0 Kudos
1 Solution
Markus_M
Staff & Editor
Staff & Editor
In response to JohnSmith33

Created on ‎08-15-2025 03:42 AM

Possible to get rid of the underscores _ ?
https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1

The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.

You may be able to work around it, depending on your server certificate, with creating a DNS database entry on FortiGate for something similar to srvdcdns.tutafeh.com against that IP, and use that as FQDN in your LDAP server setting. The FQDN must match the server certificate.

- Markus

View solution in original post

338
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎08-15-2025 02:41 AM Edited on ‎08-15-2025 02:44 AM

Hi John

Can you try set the hostname from CLI?

config user ldap
 edit LDAPS_Tutafeh
  set server "srv_dc_dns.tutafeh.com"
 end
end

 

AEK
AEK
378
0 Kudos
JohnSmith33
New Contributor
In response to AEK

Created on ‎08-15-2025 02:54 AM

Hello AEK,

 

I tried but got this error

 image.png

372
0 Kudos
ozkanaltas
Valued Contributor III
In response to JohnSmith33

Created on ‎08-15-2025 02:57 AM

Hello @JohnSmith33 ,

 

Can you try removing the quotation marks?

 

set server srv_dc_dns.tutafeh.com
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
368
0 Kudos
JohnSmith33
New Contributor
In response to ozkanaltas

Created on ‎08-15-2025 03:14 AM

Hello @ozkanaltas 

the problem stays the same

348
0 Kudos
Markus_M
Staff & Editor
Staff & Editor
In response to JohnSmith33

Created on ‎08-15-2025 03:42 AM

Possible to get rid of the underscores _ ?
https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1

The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.

You may be able to work around it, depending on your server certificate, with creating a DNS database entry on FortiGate for something similar to srvdcdns.tutafeh.com against that IP, and use that as FQDN in your LDAP server setting. The FQDN must match the server certificate.

- Markus
339
AEK
SuperUser
SuperUser
In response to Markus_M

Created on ‎08-15-2025 03:50 AM Edited on ‎08-15-2025 03:50 AM

Markus is right.

I just tried with underscore in the hostname and it shows the same error.

AEK
AEK
333
JohnSmith33
New Contributor

Created on ‎08-16-2025 02:16 AM

Hello guys,

thanks for the answers, I could only try without underscore this morning and i can now save, well it works without a certificate with the entry dns but not with the certificate even if i renewed it with the new name.

I think I'm gonna redeploy everything so i don't need the dns entry and I won't ever put underscore in my dc srv name x)

Anyway thanks for the solution about the underscore.

240
0 Kudos
AEK
SuperUser
SuperUser
In response to JohnSmith33

Created on ‎08-17-2025 05:54 AM

Keep in mind 6.x is old version and certificate was not mandatory.

Starting from 7.4.4 the trusted certificate is required.

AEK
AEK
204
Markus_M
Staff & Editor
Staff & Editor
In response to AEK

Created on ‎08-18-2025 02:16 AM Edited on ‎08-18-2025 02:17 AM

Context: https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-STARTTLS-certificate-issuer-enforcem...

so plan for the certificate check.

Please mark the forum post as solved, that others may consider looking at it, when searching for the same problem. (saw you did that already)

- Markus
167
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.