Installing self-signed CA for Omniauth


#1

Hi All,

I am using the excellent LDAP plugin provided at GitHub - jonmbake/discourse-ldap-auth: Discourse plugin to enable LDAP/Active Directory authentication. . This uses Omniauth for the LDAP authentication. Our Active Directory server uses a self-signed certificate for LDAPS connections, and I am not sure how to install the certificate on our Discourse server so that it’s honoured. I have been provided with a crt file exported from the Active Directory server.

Any help would be appreciated.


(Matt Palmer) #2

Give this example a try – it’ll install a new trust anchor in the system’s trust store, so Discourse will be willing to trust that certificate and any certificates issued from it.


#3

Thanks for the suggestion @mpalmer. I converted the crt into a pem file and placed it into the /etc/ssl/certs followed by running /usr/sbin/update-ca-certificates but unfortunately still no luck.

I am flying a bit blind here, as nothing appears in the Discourse logs at (http://www.example.com/logs). In the linked post there are reference to errors which appear in the logs - how would I go about finding those logs, to get an idea about what’s really happening here?

Sorry for the basic questions - I am quite new to the whole Rails environment and how it works.


(Matt Palmer) #4

You actually need to put the certificate in /usr/local/share/ca-certificates and then run update-ca-certificates. My post mentioned /etc/ssl/certs as the location that programs look for the trust store certificates, not where you should put them. I’ve updated my post to remove the confusion.


#5

Yep, after doing the procedure (wrongly) I re-read your post and realised the mistake. I have now put the crt file in /usr/local/share/ca-certificates and ran update-ca-certificates which put a pem version of the file in /etc/ssl/certs. Still doesn’t work unfortunately :frowning:

Any ideas about some logs I can check out to determine any issues? Literally nothing (at all, related or unrelated to this problem) is being printed to the Discourse logs.


(Matt Palmer) #6

You’ll probably need to talk to the author of the plugin, @jonmbake, about how to diagnose specific problems with the plugin. I burned my last LDAP server to the ground some years ago, and my therapist says I’m making excellent progress with the PTSD.