Upgrading to version 11 broke my Windows Server 2k19 LDAPS connections

[kaysond]

I recently upgraded from version 10 to 11. After doing so, all services that connect to my host via ldaps started throwing ssl verification errors.

Turns out that the install process for version 11 installs several self-signed certs for aws/azure/etc plugins. Windows Server isn't very smart, sees that the self-signed certs have a later expiration date (c. 2030) than the real ldaps cert, and starts serving those instead. Since they're self-signed, all connections failed cert verification.

And yes, I know I shouldn't be running veeam b&r on my DC, but windows server licenses are expensive! Already working on migrating the install to another host.

I realize this may be somewhat of an edge case, but I don't see the need to pre-install these certs until those plugins are actually used.

Per forum rules I created a support case - 04961516

[Gostev]

If you don't use the above-mentioned plug-ins, then I suppose you could simply delete them as well as their certificates from the store with no impact.

[kaysond]

And that's precisely what I did. But there was an impact! It took time to figure out why ldaps started serving a self-signed cert, and during that time all ldaps connections failed ssl verification.

I guess my point is, Windows Server 2k19 isn't very smart about certificate selection, so you should probably be careful about what you start dumping into customers' certificate stores, especially when its in a hidden, automatic way. IMO it makes more sense to generate those certs when the plugins are actually used...