I recently upgraded from version 10 to 11. After doing so, all services that connect to my host via ldaps started throwing ssl verification errors.
Turns out that the install process for version 11 installs several self-signed certs for aws/azure/etc plugins. Windows Server isn't very smart, sees that the self-signed certs have a later expiration date (c. 2030) than the real ldaps cert, and starts serving those instead. Since they're self-signed, all connections failed cert verification.
And yes, I know I shouldn't be running veeam b&r on my DC, but windows server licenses are expensive! Already working on migrating the install to another host.
I realize this may be somewhat of an edge case, but I don't see the need to pre-install these certs until those plugins are actually used.
Per forum rules I created a support case - 04961516
-
- Influencer
- Posts: 17
- Liked: 1 time
- Joined: Aug 11, 2021 4:33 pm
- Full Name: Aram Akhavan
- Contact:
-
- Chief Product Officer
- Posts: 31561
- Liked: 6725 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Upgrading to version 11 broke my Windows Server 2k19 LDAPS connections
If you don't use the above-mentioned plug-ins, then I suppose you could simply delete them as well as their certificates from the store with no impact.
-
- Influencer
- Posts: 17
- Liked: 1 time
- Joined: Aug 11, 2021 4:33 pm
- Full Name: Aram Akhavan
- Contact:
Re: Upgrading to version 11 broke my Windows Server 2k19 LDAPS connections
And that's precisely what I did. But there was an impact! It took time to figure out why ldaps started serving a self-signed cert, and during that time all ldaps connections failed ssl verification.
I guess my point is, Windows Server 2k19 isn't very smart about certificate selection, so you should probably be careful about what you start dumping into customers' certificate stores, especially when its in a hidden, automatic way. IMO it makes more sense to generate those certs when the plugins are actually used...
I guess my point is, Windows Server 2k19 isn't very smart about certificate selection, so you should probably be careful about what you start dumping into customers' certificate stores, especially when its in a hidden, automatic way. IMO it makes more sense to generate those certs when the plugins are actually used...
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 110 guests