LDAPS, This certificate has already been added

[tmvision]

Hi,

I am currently in the process of moving our NagiosXI-installation (5.6.5 on CentOS 7 64-bit, manual install).
We have two domain controllers running LDAPS, each with their own self-signed certificate. Thus I wanted to instruct XI to trust both of these certificates.
The first certificate was added without problems, but adding the second certificate gives the error "This certificate has already been added".
I have tried to add other (unrelated) certificates, but they fail as well. I can only have a single certificate registered at a time.

I did some digging in html/includes/components/ldap_ad_integration/ajax.php and I believe this is a permissions-issue.
I found the following in the Apache log:

Code: Select all

PHP Warning:  file_put_contents(/etc/openldap/certs/5e3a95b01f15f.crt): failed to open stream: Permission denied in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.php

It appears that the .crt-file can't be written to /etc/openldap/certs, which in turn hinders the creation of the .pem-file and the generation of $hash.
Thus adding the first certificate creates the (broken) symbolig link .0 in cacerts.

Changing the permissions on certs to rwxrwxr-x (was rwxr-xr-x) and the owner to apache:nagios (was root:root) fixed the issue!

Are these the recommended permissions for /etc/openldap/certs?

[mbellerue]

Excellent! Glad you were able to track this down. Yes, those are what the permissions on that directory should be. apache:nagios 755.