LDAPS and Self SIgned Certificates

juelsgaardn · February 3, 2021, 7:22pm

Using Ignition 8.0.17, Windows Server 2019

When setting up a connection to an LDAPS Active Directory, the connection bombs with the following:

java.lang.Exception: Failed connecting to LDAP server.

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:283)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:328)

at com.inductiveautomation.ignition.gateway.authentication.impl.ADInternalHybridUserSource.getUsers(ADInternalHybridUserSource.java:184)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.doGetUsers(UserSourceWrapper.java:179)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.updateCache(UserSourceWrapper.java:206)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.getUsers(UserSourceWrapper.java:107)

at com.inductiveautomation.ignition.gateway.web.components.user.UserSourceEditPage$UserActionTable.getItems(UserSourceEditPage.java:287)

at com.inductiveautomation.ignition.gateway.web.components.actions.ActionTable$1.load(ActionTable.java:56)

at com.inductiveautomation.ignition.gateway.web.components.actions.ActionTable$1.load(ActionTable.java:53)

at org.apache.wicket.model.LoadableDetachableModel.getObject(LoadableDetachableModel.java:121)

at org.apache.wicket.Component.getDefaultModelObject(Component.java:1615)

at org.apache.wicket.markup.html.list.ListView.getViewSize(ListView.java:219)

at org.apache.wicket.markup.html.list.ListView.onPopulate(ListView.java:473)

at org.apache.wicket.markup.repeater.AbstractRepeater.onBeforeRender(AbstractRepeater.java:116)

at org.apache.wicket.Component.internalBeforeRender(Component.java:922)

at org.apache.wicket.Component.beforeRender(Component.java:990)

at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1680)

at org.apache.wicket.Component.onBeforeRender(Component.java:3830)

at org.apache.wicket.Component.internalBeforeRender(Component.java:922)

at org.apache.wicket.Component.beforeRender(Component.java:990)

at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1680)

at org.apache.wicket.Component.onBeforeRender(Component.java:3830)

at org.apache.wicket.Component.internalBeforeRender(Component.java:922)

at org.apache.wicket.Component.beforeRender(Component.java:990)

at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1680)

at org.apache.wicket.Component.onBeforeRender(Component.java:3830)

at org.apache.wicket.Component.internalBeforeRender(Component.java:922)

at org.apache.wicket.Component.beforeRender(Component.java:990)

at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1680)

at org.apache.wicket.Component.onBeforeRender(Component.java:3830)

at org.apache.wicket.Page.onBeforeRender(Page.java:802)

at com.inductiveautomation.ignition.gateway.web.pages.BasePage.onBeforeRender(BasePage.java:303)

at com.inductiveautomation.ignition.gateway.web.pages.AuthenticatedPage.onBeforeRender(AuthenticatedPage.java:96)

at org.apache.wicket.Component.internalBeforeRender(Component.java:922)

at org.apache.wicket.Component.beforeRender(Component.java:990)

at org.apache.wicket.Component.internalPrepareForRender(Component.java:2204)

at org.apache.wicket.Page.internalPrepareForRender(Page.java:247)

at org.apache.wicket.Component.render(Component.java:2289)

at org.apache.wicket.Page.renderPage(Page.java:1021)

at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:116)

at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:244)

at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:165)

at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:814)

at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)

at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:97)

at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:253)

at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:210)

at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:281)

at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:188)

at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:245)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1596)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.Server.handle(Server.java:500)

at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)

at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)

at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: javax.naming.CommunicationException: simple bind failed: dc01.thebakergroup.com:636

at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at java.naming/javax.naming.InitialContext.init(Unknown Source)

at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:266)

... 86 common frames omitted

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)

at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source)

at java.base/java.io.BufferedOutputStream.flushBuffer(Unknown Source)

at java.base/java.io.BufferedOutputStream.flush(Unknown Source)

at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)

at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)

... 98 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)

at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

at java.base/sun.security.validator.Validator.validate(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)

... 116 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)

at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)

at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)

IT is telling me that their AD has a self-signed certificate. Other topics here talk about self signed certs, but not in regards to LDAPS.

Looking for next steps.

PGriffith · February 3, 2021, 7:56pm

You'll need to install your AD's self signed cert as a trusted cert on the gateway; see this thread for more details:

juelsgaardn · February 9, 2021, 10:28pm

That did it, thanks!