Could it be that your LDAP server sends a certificate chain (not just the server cert).
- Usually:
- Leaf cert (the server)
- Issuer cert (your Tree CA)
- So, even if
--allow-self-signedis specified, the plugin tries to verify the chain using the trust store. - The Tree CA is not in the system/Global setting trust store, so the verification fails.
I tried with my test PostgreSQL server which is presenting on 127.0.0.1 only a self-signed certificate, without a chain, and:
- The cert is self-issued (same subject and issuer).
- There’s no intermediate CA, just one cert.
- In my case, the
--allow-self-signedallows the plugin to bypass trust store verification, as long as:- The certificate is self-signed, and
- There’s no full chain being verified
For example:
$ check-cert --url 127.0.0.1 -p 5432 --allow-self-signed
Verification: self-signed certificate (allowed), Subject CN: localhost, Server certificate validity: 364 day(s) | overall_response_time=0.025580s;;;; certificate_remaining_validity=31531144s;;;;
Host to test: 127.0.0.1
Host port: 5432
Response time: 25 ms
Verification: self-signed certificate (allowed)
Subject CN: localhost
Issuer CN: localhost
Server certificate validity: 364 day(s)