Concourse doesn't report when ldap server's ssl cert expires

We use lets encrypt certs and put it on our ldap server. A few days ago the cert got rolled over but the ldap server didn’t get HUPped so it was still using the old one.

Concourse web continued to work for a few days, so I guess it caches usernames/passwords? Then this morning it stopped working and we couldn’t login.

There was nothing sent to the log to suggest a cert validation error saying “bad ssl cert on ldap server” or something.

But well done that it doesn’t accept expired certificates; we have other things that have continued to work despite bad ldap server ssl cert!

There is a CONCOURSE_LDAP_INSECURE_SKIP_VERIFY ENV you can set to true on the concourse web node to get it to skip the verify. I assume there is a corresponding config, but not sure what that is.

However, it looks like you actually have an issue with your “other” systems accepting an invalid cert and you might want to fix that and leave Concourse alone. Your LDAP server is a high value, low effort target. By allowing invalid certs you are opening yourself to session highjacking and man-in-middle attacks, so you may want to reconsider.

Even if it is a dev LDAP instance you might want to consider ensuring your have proper PKI in place, as it would have caught your HUP issue immediately. True it would look like the sky is falling as everything stop working, but one or two of those system would have had proper logging so you would have seen the issue quickly. Just a thought.

yes, I do have ssl certificate monitoring in place for most things but I forgot the ldap server.

my point rests, that concourse should log ssl failure rather than leave the operator in the dark.

actually, one of the systems that ignored the expiry was a commercial product. I won’t name and shame!

Agreed that concourse should have logged the ssl failure. That seems like a defect.