Hello,
I'm trying to setup an ldaps srv on my fortigate 50E (6.2.17) and it works with the ip without cert and i can save but i would like it to work with a cert
when i try with the fqdn, i can't save and shows invalid hostname (i can ping the fqdn from the fw) even if the connectivity test works and i can browse the distinguised name
then when i try to enable the secure connection and add the CA cert (with the fqdn as the cn), the connectivity test still works, i can still browse the distinguished name but when i try to validate, it disable the secure connexion with the cert and i get an invalid hostname error
even if i can ping this hostname and browse the dn and everything...
Does someone knows why it could do that ?
Best Regards
John
Solved! Go to Solution.
Possible to get rid of the underscores _ ?
https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length.
You may be able to work around it, depending on your server certificate, with creating a DNS database entry on FortiGate for something similar to srvdcdns.tutafeh.com against that IP, and use that as FQDN in your LDAP server setting. The FQDN must match the server certificate.
Hi John
Can you try set the hostname from CLI?
config user ldap
edit LDAPS_Tutafeh
set server "srv_dc_dns.tutafeh.com"
end
end
Hello AEK,
I tried but got this error
Hello @JohnSmith33 ,
Can you try removing the quotation marks?
set server srv_dc_dns.tutafeh.com
Hello @ozkanaltas
the problem stays the same
Possible to get rid of the underscores _ ?
https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length.
You may be able to work around it, depending on your server certificate, with creating a DNS database entry on FortiGate for something similar to srvdcdns.tutafeh.com against that IP, and use that as FQDN in your LDAP server setting. The FQDN must match the server certificate.
Created on 08-15-2025 03:50 AM Edited on 08-15-2025 03:50 AM
Markus is right.
I just tried with underscore in the hostname and it shows the same error.
Hello guys,
thanks for the answers, I could only try without underscore this morning and i can now save, well it works without a certificate with the entry dns but not with the certificate even if i renewed it with the new name.
I think I'm gonna redeploy everything so i don't need the dns entry and I won't ever put underscore in my dc srv name x)
Anyway thanks for the solution about the underscore.
Keep in mind 6.x is old version and certificate was not mandatory.
Starting from 7.4.4 the trusted certificate is required.
Created on 08-18-2025 02:16 AM Edited on 08-18-2025 02:17 AM
so plan for the certificate check.
Please mark the forum post as solved, that others may consider looking at it, when searching for the same problem. (saw you did that already)
User | Count |
---|---|
2538 | |
1351 | |
795 | |
642 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.