Need help Configured SSL on trial server

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
Susie
Posts: 6
Joined: Thu Jan 07, 2016 1:44 pm

Need help Configured SSL on trial server

Post by Susie »

Hello,
I'm having an issue similar to one posted by Mike_ on Dec. 7, 2015, "TLS Issues with Active Directory Integration". Following the instructions for Nagios XI – Using SSL with XI Active Directory, I am unable to successfully get the certificate from our LDAP server. Here is what I ran and what it returned
:
[root@MyServer cacerts]# openssl s_client -showcerts -connect 10.10.10.10:636 > ldapsrv1.crt
depth=0 CN = MYSERVER.MYDOMAIN.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = MYSERVER.MYDOMAIN.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = MYSERVER.MYDOMAIN.com
verify error:num=21:unable to verify the first certificate.
verify return:1

read:errno=104

Any suggestions as to why I'm getting these errors and what I can do to remedy them is much appreciated.
Thanks in advance, Susie
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Need help Configured SSL on trial server

Post by tmcdonald »

Is this a self-signed certificate? I am not an LDAP expert, but I know that certificate chains need to be trusted all the way up. According to this article the first and third errors you are seeing indicates there is broken trust somewhere along the line. Specifically:
There’s an error here. Depth 2 means which certificate in the chain; in this case the third one as they are numbered 0, 1 and 2, and this error means that openssl was unable to find a certificate for the issuer of certificate 2 whose Common Name(CN) is “VeriSign Class 3 Public Primary Certification Authority – G5”. That’s because the issuer is a root certificate and openssl does not know where the root certificates are. This can be fixed by adding the -CAfile option pointing to a file containing all the trusted root certificates, but where to get those? That’s coming soon in another post. For now what we need to know is that we have three certificates in a chain and at least up to certificate 2, things are verifying correctly.
Reading around and judging by the errors it sounds like whatever CA you have might have in place does not line up with the certs further down the chain.
Former Nagios employee
Top
Locked

Return to “Nagios XI”