We recently replaced an expired root certificate in active directory. When we are trying to authenticate via STARTTLS, i get the following error:
Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
Checked the certificate on the server with the following command:
openssl s_client -showcerts -connect servername.domain.tld:636 (with our true names) and am not getting any errors.
I have created a workaround which disabled encryption on LDP for the time being, but trying to get down to the root cause and solution.
Error after Certificate updated in LDAP/AD Import Users
Re: Error after Certificate updated in LDAP/AD Import Users
Please follow these steps and it should resolve it:
If your XI server OS version is RedHat/CentOS/Oracle:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands:
Then test it again.
If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Then add this to your /etc/openldap/ldap.conf:
Then restart apache and try again:
That should do it.
If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running
If your XI server OS version is Ubuntu/Debian:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands:
Then test it again.
If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Then add this to your /etc/ldap/ldap.conf:
Then restart apache and try again:
That should do it.
If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running
If your XI server OS version is RedHat/CentOS/Oracle:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Code: Select all
/etc/pki/ca-trust/source/anchors/
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Code: Select all
/etc/openldap/certs/ca.pem
Code: Select all
TLS_CACERT /etc/openldap/certs/ca.pem
Code: Select all
systemctl restart httpd php-fpm
If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636
If your XI server OS version is Ubuntu/Debian:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Code: Select all
/usr/local/share/ca-certificates/
Code: Select all
sudo update-ca-certificates
systemctl restart apache2
If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Code: Select all
/etc/openldap/certs/ca.pem
Code: Select all
TLS_CACERT /etc/openldap/certs/ca.pem
Code: Select all
systemctl restart apache2
If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636
Re: Error after Certificate updated in LDAP/AD Import Users
That did the trick. Thanks for the help.
-
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Error after Certificate updated in LDAP/AD Import Users
Excellent. We'll go ahead close this out, but feel free to contact us again if you have any questions.That did the trick. Thanks for the help.
Have a great weekend!
--Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!