Unable to connect to LDAP-based server using SSL with wildcard PFX

[lethil]

Hello!

 

I'm currently evaluating PlasticSCM for our team and it is great so far! I've run into a snag though.

 

I was previously running the server on Windows Server 2008 R2 in Active Directory authentication, but my team ran into a problem because the remote machines weren't part of the same domain. We've switched over to LDAP authentication set for Active Directory, but there's a snag.

 

We can connect without SSL, but we get the following error:

 

"The authentication or decryption has failed.: domainname.net:8088"

 

According to what I've found, it sounds as though the self-signed cert wasn't enough for LDAP auth.  I tried a domain-specific self-signed cert, but it still had the same problem. I decided to move to our official wildcard PFX cert (P12 export), which has *.domainname.net on it. It gives me the exact same error. We also tried hitting the site with "www.domainname.net" but we had the same error again.

 

For the time being, we're using unencrypted connections for our evaluation until we can figure this out.

 

Any idea what the issue could be?

 

Thanks!

Jason

[manu]

Hi Jason,

 

 

We can connect without SSL, but we get the following error:

"The authentication or decryption has failed.: domainname.net:8088"

 

Can you confirm that you are getting that error with the regular connection mode?

 

Do you think it's possible to arrange an online meeting for this week in order to get more information?

[lethil]

I'm not 100% sure what you mean by "regular connection mode". Do you mean without HTTPS?  I can connect via LDAP on HTTP using domainname.com.

 

I am available in the evening between tonight and Wednesday night after 7pm. I'm in the Pacific Time Zone.

[manu]

Hi lethil, sorry, I meant without the SSL connection. The regular one using the 8087 port instead of 8088.

[lethil]

Yes. I can connect to 8087 without difficulty with LDAP-based authentication.

[manu]

Ok, in that case it seems that there's an issue reading/sending the custom certificate.

 

Can you please tell us how the certificate was generated? 

[lethil]

It's a godaddy cert that was generated on IIS7 and exported for other use.

 

We've currently used this pfx on 2 other IIS machines and it's running in Tomcat successfully on our JIRA instance.

[lethil]

Good news!

 

I discovered that I'm able to connect successfully, despite the error given while testing the connection. If I ignore the error during the connection test and finish the wizard, I'm able to connect via SSL and interact with the repository.  I still get the warnings about the SSL not matching though. I'm guessing that the application is making assumptions that a wildcard domain (like *.domainname.net) doesn't match a root domain (like domainname.net) and errors out somewhere in the code.

 

In short, it's not a great startup experience since I have to accept the "errors" about my SSL domain not matching, but it works. .

[lethil]

Also worth noting, the SSL connection as described above doesn't work for the TeamCity functionality.  I'm forced to use non-SSL in order for the TeamCity builds to work.

[manu]

I see, I'll insert the issue into our bug tracking system. Thanks for reporting it.