topic Re: Check Point LDAPS connection breaks everytime AD certificate is renewed in Firewall and Security Management

Check Point LDAPS connection breaks everytime AD certificate is renewed

Tierre_Amaral — Fri, 30 Oct 2020 15:00:57 GMT

Hello everyone,

Not sure if someone also has or had this problem but this is the 2nd recurrent year we had been in this situation. We use LDAPS (port 636, LDAP Account UnIt) config to connect to our ADs for Remote Access Usage and IA. Microsoft DCs generate a 1year expiration certificate which Check Point firewall validates using the fingerprint fetch process (Servers > Edit > Encryption > Fetch).

The thing is every year this certificate auto-renews and turns out the old fingerprint becomes invalid and that's where our lives stress out: no one is then able to access Internet through IA rules or connect to the environment through Remote access VPN until we manually fetch the new fingerprint in every LDAP server configured then push policy.

I haven't seen any statement from Check Point showing a permanent fix for this (Hotfix or Patch) or any other option that allow us to use LDAPS and auto-fetch the fingerprint or something that not let this happen again.

Please help!!!

Firewall version is R80.20

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Sigbjorn — Sat, 31 Oct 2020 14:35:19 GMT

I created a supportcase with TAC on this issue a few years ago. They didn't have a fix, but asked if I could just remove the fingerprint from the account unit. That way Check Point won't try to validate it and will accept any certificate. (This was for R77.30)

This was a good enough workaround for us at the time, since its a closed environment and we don't see any big chances of a mitm or anything.

But it feels like something that should be added to an API if it isn't already.

I'll check the api docuementation for account units on monday, and register an rfe is I cant find a way to fix it.

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Wolfgang — Sat, 31 Oct 2020 17:44:22 GMT

@Tierre_Amaral

this is a very old known limitation. LDAP failing with "SSL finger print does not match" shows the solution mentioned by @Sigbjorn

A lot of the members here are waiting for a solution, don‘t know if something changed with R81? Did not tried yet but maybe someone here did ?

Wolfgang

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Royi_Priov — Sun, 01 Nov 2020 12:17:15 GMT

Hi @Tierre_Amaral ,

This is not a specific problem to Identity Awareness, but to our authentication I/S.

We had a customer release to change the trust mechanism to be based on PKI, and this way a certificate renewal won't affect the LDAPS query operations.

You are more than welcome to open an RFE for getting this change, until it will be included in our GA versions.

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Sigbjorn — Mon, 02 Nov 2020 12:06:02 GMT

I see you'll get the fingerprint in the show-generic-object API, under ldapServers -> ldapSslSettings -> ldapSslFingerprints, so you should be able to update it via set-generic-object as well. (But I haven't had time to figure out the correct syntax for that yet)

To get the current certificate fingerprint you can run this one-liner from the management: cpopenssl s_client -connect 10.10.10.10:636 2>&1 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | cpopenssl x509 -noout -md5 -fingerprint

But putting all that aside, the PKI option Royi mentions sounds like the best approach. 🙂 (Hopefully this will be in the default release soon.)

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

David_C1 — Fri, 25 Jun 2021 12:59:16 GMT

Hi @Royi_Priov

Any update on this? All of our IA functionality broke yesterday because of the certificate rotation on our domain controllers.

Dave

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

the_rock — Fri, 25 Jun 2021 13:55:01 GMT

I agree with @Wolfgang . I also saw this before and TAC told me it was a known problem...not sure when CP plans on fixing it though.

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

StephS — Thu, 26 Aug 2021 13:05:34 GMT

Hi @Royi_Priov,

we have the same problem as @Tierre_Amaral and opened a SR, however Check Point Support told us there is no private fix for this. How are we able to get the fix for this?

Thanks,

Steph

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Martin_Valenta — Fri, 27 Jan 2023 10:18:16 GMT

is it going to be fixed in any GA version? it's kind of annoying to re fetch certificates

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Machine_Head — Fri, 27 Jan 2023 12:07:09 GMT

Just leave the fingerprint field empty 🙂

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

piteyyy — Fri, 10 Feb 2023 13:30:12 GMT

Is that a joke or a true story?

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Arskaz — Tue, 03 Oct 2023 06:46:15 GMT

Still unfixed?

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

David_C1 — Tue, 03 Oct 2023 16:54:06 GMT

I can confirm, at least in R81.10 JHFA Take 95, this is still a problem.

Dave

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

the_rock — Tue, 03 Oct 2023 17:11:42 GMT

Did TAC confirm the same?

Andy

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

David_C1 — Tue, 03 Oct 2023 17:25:18 GMT

TAC didn't need to confirm, my broken IA was all the confirmation I needed (fixed once we re-fetched fingerprints).

Dave

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

the_rock — Tue, 03 Oct 2023 17:35:45 GMT

Ok, gotcha...so version/jumbo is still the same, you just refetched the fingerprint?

Andy

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

David_C1 — Tue, 03 Oct 2023 18:17:05 GMT

Correct.

Dave

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

Machine_Head — Wed, 04 Oct 2023 14:47:01 GMT

sorry for the late reply but yeah, that works.

Re: Check Point LDAPS connection breaks everytime AD certificate is renewed

gm446 — Wed, 24 Jan 2024 10:55:26 GMT

Hi Royi,

this change is already happened on R81.20?

Best Regards,
Yossi.