Unable to authenticate: error:14090086

[mccrakem]

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

I have stoodup a new test Nagiosxi Server on CentOS7

When I try and Access the Active Direrctory Users and Computers I get the above error message

The same config works fine on our Red Hat 6 Server

I have attached Screenshots of the
Authentication Server Configuration and the Certificate Authority Management


On the D-OPS-03 Domain Controller the following setting is applied
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"ldapserverintegrity"=dword:00000002

From what I see it looks like it is something to do with the Certificate.

The Server D-OPS-03 is our CA Server


If I change the setting "ldapserverintegrity"=dword:00000002 to 0
and set the Security Setting to None under the Authentication Server then the connection works fine

[cdienger]

What are the permissions set to on the ldap directory when you run "ls -alhR /etc/openldap" ? We'd expect them to look something like:

Code: Select all

ls -alhR /etc/openldap/
/etc/openldap/:
total 20K
drwxrwxr-x.  4 apache nagios 4.0K Jun 17 09:53 .
drwxr-xr-x. 85 root   root   4.0K Jun 17 15:29 ..
drwxrwxr-x   2 apache nagios 4.0K Jun 17 09:53 cacerts
drwxrwxr-x.  2 apache nagios 4.0K Mar 22  2017 certs
-rw-rw-r--   1 apache nagios  317 Jun 17 09:53 ldap.conf

/etc/openldap/cacerts:
total 8.0K
drwxrwxr-x  2 apache nagios 4.0K Jun 17 09:53 .
drwxrwxr-x. 4 apache nagios 4.0K Jun 17 09:53 ..

/etc/openldap/certs:
total 72K
drwxrwxr-x. 2 apache nagios 4.0K Mar 22  2017 .
drwxrwxr-x. 4 apache nagios 4.0K Jun 17 09:53 ..
-rw-r--r--. 1 root   root    64K May  6  2015 cert8.db
-rw-r--r--. 1 root   root    16K May  6  2015 key3.db
-r--------. 1 root   root     45 May  6  2015 password
-rw-r--r--. 1 root   root    16K May  6  2015 secmod.db

[mccrakem]

Hi

All the permissions look ok


[root@dwylbopngios02 openssl]# ls -alhR /etc/openldap
/etc/openldap:
total 20K
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 .
drwxr-xr-x. 105 root root 8.0K Jun 18 11:18 ..
drwxrwxr-x 2 apache nagios 29 Jun 19 03:37 cacerts
drwxrwxr-x. 2 apache nagios 120 Jun 19 03:37 certs
-rw-rw-r-- 1 apache nagios 400 Jun 18 09:01 ldap.conf
-rw-rw-r-- 1 apache nagios 400 Jun 18 09:01 ldap.conf.bak

/etc/openldap/cacerts:
total 0
drwxrwxr-x 2 apache nagios 29 Jun 19 03:37 .
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 ..
lrwxrwxrwx 1 apache apache 37 Jun 18 09:51 5eeb716e1945c.0 -> /etc/openldap/certs/5eeb716e1945c.pem

/etc/openldap/certs:
total 76K
drwxrwxr-x. 2 apache nagios 120 Jun 19 03:37 .
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 ..
-rw-r--r-- 1 apache apache 2.0K Jun 18 09:51 5eeb716e1945c.crt
-rw-r--r-- 1 apache apache 5.8K Jun 18 09:51 5eeb716e1945c.pem
-rw-r--r--. 1 root root 64K May 3 2018 cert8.db
-rw-r--r--. 1 root root 16K May 3 2018 key3.db
-r--------. 1 root root 45 May 3 2018 password
-rw-r--r--. 1 root root 16K May 3 2018 secmod.db
[root@dwylbopngios02 openssl]#

[cdienger]

It's having diffculty getting or matching the cert. Let's get a tcpdump so we can confirm the communication and the ceritificate. Do this on the XI comamnd line:

Code: Select all

yum -y install tcpdump (Cent/RHEL)
apt-get install tcpdump (Deb/Ubuntu)

Code: Select all

tcpdump -s 0 -i any host w.x.y.z -w output.pcap

Where w.x.y.z is the IP address of the DC. Let this run just long enough to try to authenticate and reproduce the error then use CTRL+C to stop it. Please PM me the output.pcap file this creates.

[mccrakem]

Hi

PM message sent with output.pcap file

Thanks

[cdienger]

The file doesn't appear to have made it. Try compressing it and changing the extension to .zip.