Description: This article helps resolve the LDAPS error message for Active Directory, "SSL: certificate_verify_failed."
In your OpenVPN Access Server, when configuring LDAPS (LDAP over SSL) as explained in the guide, enable SSL over the connection (optional), you may encounter these errors after installing the Enterprise Root CA:
"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate" error means that the LDAP server has an untrusted or self-signed certificate in the certificate chain.
"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed"
Either of these errors mean that the LDAP server has an untrusted or self-signed certificate in the certificate chain.
By default, LDAP over SSL in Access Server requires a valid SSL certificate that is signed and trusted. If you're still using the self-signed certificate Access Server uses to start, this error that you're having is totally expected.
To resolve the error and get your LDAPS on the Access Server working as expected, remove this SSL certificate check by running the commands below with "root" user privileges:
./sacli --key "auth.ldap.0.use_ssl" --value never ConfigPut
This should resolve your issue.
In addition, traffic between your Access Server and your LDAP server is encrypted in both cases (with or without the "auth.ldap.0.ssl_verify" command). This check is only relevant if you're using a certificate signed by a CA.
Use the below command to define whether your LDAPS traffic is encrypted:
./sacli --key "auth.ldap.0.use_ssl" --value <VALUE> ConfigPut
Use the below command to define the certificate file path:
./sacli --key "auth.ldap.0.ssl_ca_cert" --value <PATH_TO_FILE_NAME> ConfigPut
For more info about the commands mentioned here, Refer to LDAP authentication commands.
If you have additional questions, please submit a ticket.