"Certificate has expired" when trying to authenticate via LDAP

After having upgraded on-premise Gitlab from 14.3.* to 14.5, when trying to use AD (LDAP) authentication, the below error started to display:

gitlab Could not authenticate you from Ldapmain because “Ssl connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)”

Before that happened, I updated Letsencrypt certificate of the related AD (LDAP) server like this:

cp -pf path-to-Letsencrypt-root-certificate.pem /etc/gitlab/trusted-certs/ad.pem
cat path-to-AD-domain-certificate.pem >> /etc/gitlab/trusted-certs/ad.pem
gitlab-cli reconfigure

Everything worked fine, until the update to 14.5. Do I have to store the trusted certificates somewhere else from now on?

As a “quick and dirty solution”, I disabled certificates verification for LDAP, but this is not what I actually need.


what happens when you manually connect to your LDAP server, to rule out a different error message?

openssl s_client -connect ldapserverfqdn:port 

Alternatively, sslscan is a handy CLI tool to test TLS connections and certificates, chains and ciphers.

Maybe the LDAP server needs a service restart to load the updated TLS certificate into memory.