Doesn't trust Let's Encrypt certificates

[BloodyIron]

When I try to get PWM to connect to my Samba AD DCs via ldaps on port 636, I get the following error:

Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request) fields: [unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request]

The certificate used is a Let's Encrypt certificate I just generated for blah.domain.com and *.blah.domain.com, which is expected to work. But I cannot figure out why this is failing.

When I tell PWM to import cert from server it spits out this error:

A certificate error has been encountered: unable to read server certificates from host=dc1.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request.

5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=dc1.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request) fields: [unable to read server certificates from host=dc.blah.domain.com, port=636 error: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request]

===

I'm really not sure why this is failing, as the Samba AD DC server is configured to present the cert and CA, and it is.

[BloodyIron]

Hmm this might actually look to be this version of Java doesn't handle TLSv1.3 correctly. Can we get Java updated to support TLSv1.3 please?

[BloodyIron]

Yeah I have just confirmed that this problem does not exhibit when my Samba AD DCs present only TLSv1.2. So really do need TLSv1.3 support please!

[BloodyIron]

@fjudith does the new v2.0.5 image address Let's Encrypt and/or TLS v1.3 compatibility?

[fjudith]

Thank you for your feedback @BloodyIron,

I've been working for while and concluded those features are better handled by Reverse-Proxies like Traefik if you run Docker or Cert-Manager for Kubernetes.

The problem raises when you want to test locally. This might work only if you use DNS01 Challenge as it avoids Let's Encrypt to contact the server directly.

Considering your issue, it think integrating the Let's Encrypt CA certificaet in the default Java keystore should solve your issue.

[BloodyIron]

Why not have the public Let's Encrypt certs (root/otherwise) be added to the image for everyone out of the box? The issue is with PWM working against LDAPS, not the webGUI aspect. I had to have my authentication domain controllers down-grade from TLS v1.3 to v1.2 just so that PWM would actually work against it. That's a security problem, as I cannot use TLS v1.3 for any other system interfacing against the same authentication domain controllers.

[BloodyIron]

So can we get TLS v1.3 support for LDAPS please? I'm forced to turn a lot of things back to v1.2 just because of this one limitation, and this isn't going to go away.

[BloodyIron]

Still really do want TLS v1.3 support for LDAPS. Is this project going to get any more love? The last commit was a year ago. :(