Installing self-signed CA for Omniauth


Hi All,

I am using the excellent LDAP plugin provided at GitHub - jonmbake/discourse-ldap-auth: Discourse plugin to enable LDAP/Active Directory authentication. . This uses Omniauth for the LDAP authentication. Our Active Directory server uses a self-signed certificate for LDAPS connections, and I am not sure how to install the certificate on our Discourse server so that it’s honoured. I have been provided with a crt file exported from the Active Directory server.

Any help would be appreciated.

(Matt Palmer) #2

Give this example a try – it’ll install a new trust anchor in the system’s trust store, so Discourse will be willing to trust that certificate and any certificates issued from it.


Thanks for the suggestion @mpalmer. I converted the crt into a pem file and placed it into the /etc/ssl/certs followed by running /usr/sbin/update-ca-certificates but unfortunately still no luck.

I am flying a bit blind here, as nothing appears in the Discourse logs at ( In the linked post there are reference to errors which appear in the logs - how would I go about finding those logs, to get an idea about what’s really happening here?

Sorry for the basic questions - I am quite new to the whole Rails environment and how it works.

(Matt Palmer) #4

You actually need to put the certificate in /usr/local/share/ca-certificates and then run update-ca-certificates. My post mentioned /etc/ssl/certs as the location that programs look for the trust store certificates, not where you should put them. I’ve updated my post to remove the confusion.


Yep, after doing the procedure (wrongly) I re-read your post and realised the mistake. I have now put the crt file in /usr/local/share/ca-certificates and ran update-ca-certificates which put a pem version of the file in /etc/ssl/certs. Still doesn’t work unfortunately :frowning:

Any ideas about some logs I can check out to determine any issues? Literally nothing (at all, related or unrelated to this problem) is being printed to the Discourse logs.

(Matt Palmer) #6

You’ll probably need to talk to the author of the plugin, @jonmbake, about how to diagnose specific problems with the plugin. I burned my last LDAP server to the ground some years ago, and my therapist says I’m making excellent progress with the PTSD.