Cant make pwm trust ldap server certificate

1,613 views
Skip to first unread message

jorgerod...@gmail.com

unread,
Mar 1, 2017, 10:42:52 AM3/1/17
to pwm-general
Greetings,
Trying to install pwm-1.8.0-SNAPSHOT-2016-04-01T17-41-49Z-pwm-bundle
Currently have it on a CentOS 7 machine, with java 1.8.0_121 and tomcat 8.5.11.
When trying to connect securely to our LDAP(Microsoft's AD) server I get this error:

Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=ad1-r2.nsula.edu, port=636 error: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints) fields: [unable to read server certificates from host=ad1-r2.nsula.edu, port=636 error: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints]

the certificate from the LDAP server was exported via the certificate tool windows as a cer file.

I have tried just renaming the cer file to pem and import it and get the same error.

when trying to convert the cer file to pem with this command:

openssl x509 -inform der -in ad1-r2.nsula.edu.cer -out ad1-r2.nsula.edu.pem

get this error:

unable to load certificate
140010979059616:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140010979059616:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509


I tried to vi the .cer file and it looks like this: (replaced bunch of the content with '*' to post here)

-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAg******
**************************
***********BBAGCNxQCAjAL
-----END CERTIFICATE-----

Thanks in advance for help.

jason.e...@gmail.com

unread,
Mar 2, 2017, 1:02:46 PM3/2/17
to pwm-general, jorgerod...@gmail.com
What is your algorithms for the certificate? SHA-1, SHA-256?? Also, what are your chained algorithms? If any of those are MD2 then it will fail since Java 6u17

http://www.oracle.com/technetwork/java/javase/6u17-141447.html

If any of them are and for some reason you can change them, you can comment out the following in the java.security file located in the jdk folder

jdk.certpath.disabledAlgorithms=MD2

jason.e...@gmail.com

unread,
Mar 2, 2017, 1:27:01 PM3/2/17
to pwm-general, jorgerod...@gmail.com, jason.e...@gmail.com
Also, there is another one I forgot about, this is from Java 8

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

and Java 7

jdk.tls.disabledAlgorithms=SSLv3

g.mccull...@gmail.com

unread,
May 16, 2020, 7:34:47 PM5/16/20
to pwm-general

I have this same issue.  I created a brand new cert on my Windows AD server.  Using SHA256, I have custom ports and they are open and working.  I can connect to LDAP using the non-encrypted connection port, and I can connect using the encrypted port connecton, but only with SSL disabled or unchecked in my PWM configuration wizard.

I get the exact same error message shown above.

Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=DC02.BLAH.COM, port=5XXXX error: Connection reset) fields: [unable to read server certificates from host=DC02.BLAH.COM, port=5XXXX error: Connection reset]

I'm thinking it's a permission issue or something on the AD side.

I also imported my AD LDAPS certificate into my linux ubuntu 18.04 Java keystore.

Just curious if you ever figured this out.

Thank you,
Greg
 

Somnath Singh

unread,
Sep 4, 2020, 5:35:42 AM9/4/20
to pwm-general
Facing the same issue getting 
Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=cogneesol.ad.com, port=389 error: javax.net.ssl.SSLException: Connection reset, cause:java.net.SocketException: Connection reset) fields: [unable to read server certificates from host=cogneesol.ad.com, port=389 error: javax.net.ssl.SSLException: Connection reset, cause:java.net.SocketException: Connection reset]

Did you Resolved it?

Regards,
Som

Henri Alves de Godoy

unread,
Sep 4, 2020, 2:00:03 PM9/4/20
to pwm-g...@googlegroups.com
Hi Som,

I believe it is the most complicated step to configure with PWM.

In my case, in Windows Server 2008, I had to first disable the response in SSLv3, TLSv1.0 and TLSv1.1 and configure the server to respond only in TLSv1.2.

After that I had to reissue the certificate with SHA256, before the CA was with SHA1.

Then I had to get the certificate from the AD server with the command:

# openssl s_client -showcerts -connect server:636 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycert.pem

Then import into Java with the command:

# keytool -importcert -keystore /etc/pki/java/cacerts -file mycert.pem

Finally, check in java.security the algorithms that are enabled or not.

After that restart tomcat and try to import in PWM.

I hope I helped with that.

Thanks
Henri.


--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c1474767-3c22-4a51-a79d-07125ed03dden%40googlegroups.com.


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply all
Reply to author
Forward
0 new messages