check_ldap ssl fails with "Could not bind to the LDAP server

[westernuniv]

I've tried to monitor the ldap server farm secure connection with check_ldap plugin. I'm getting the following error
[root@naggy libexec]# ./check_ldap -H abc.uwo.ca -p 636 -b "ou=people,o=uwo,dc=xyz" -v
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS error -8179:Peer's Certificate issuer is not recognized.
Could not bind to the LDAP server


Thanks

[ssax]

Look like it's a self signed certificate, is that correct?

If so, you need to import the CA cert into the system, you can follow this guide to do so:
*** I know it says it's for the AD component but it's still valid for the issue you're experiencing.
*** Note: You would run the openssl s_client command against your certificate authority.

https://assets.nagios.com/downloads/nag ... ponent.pdf

[westernuniv]

Hi, Thanks for your response. Actually the ldap server farm is using Thawte singed certificate.

[ssax]

The error "Peer's Certificate issuer is not recognized" is saying that at least something in the certificate chain is not trusted by the server.

It's not an RSA-PSS (Alternative Signature Format) certificate is it?

[westernuniv]

Hi, After googling found that If I set the env variable LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt in the nagios server cmd line before executing the check, it worked

[hsmith]

Hi, After googling found that If I set the env variable LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt in the nagios server cmd line before executing the check, it worked

Glad to hear it worked, does that solve this issue for you?

[westernuniv]

I've created new service xi check for ldap secure query and pass the env variable.
Thanks

[hsmith]

I've created new service xi check for ldap secure query and pass the env variable.
Thanks

Are we all right to close this thread, or is there anything else we can assist you with?

[westernuniv]

That's all I need. Thanks