AD authentication certificate issues.

[joveroc]

Hello,

I am having some problems with our AD authentication. We had to restore from backup and now AD authentication is not working. The error seems to be related to the certificate validity when I try to import users.

Code: Select all

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

I have removed and re-uploaded the certificate from our CA per the NagiosXI documentation and have had no luck. AD authentication was working prior to the restore.

Code: Select all

openssl s_client -showcerts -connect x.x.x.x:636 </dev/null
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1

Any help would be appreciated.

Thanks,
Chris

[ssax]

Please PM me the full output of this command:

Code: Select all

openssl s_client -showcerts -connect x.x.x.x:636 </dev/null

What OS/version are you running?

Code: Select all

uname -a
cat /etc/*release

Please enable debug logging via this guide and send the debug log output:

https://support.nagios.com/kb/article/a ... n-600.html

Send the output of these commands as well:

Code: Select all

ls -ld /etc/openldap
ls -l /etc/openldap
ls -l /etc/openldap/certs
ls -l /etc/openldap/cacerts
cat /etc/openldap/ldap.conf

[joveroc]

PM sent.

[ssax]

Try adding this to your /etc/openldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/6033c0f9c486e.pem

Then restart apache:

Code: Select all

systemctl restart httpd

If you're using php-fpm, restart that too:

Code: Select all

systemctl restart php-fpm

Then test again.

If that doesn't work:

Please try adding your CA certificate (not the DCs cert) to:

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run this command:

Code: Select all

update-ca-trust extract

Then edit this file:

Code: Select all

/etc/openldap/ldap.conf

Add this (replacing the other):

Code: Select all

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Then restart apache:

Code: Select all

systemctl restart httpd

If you're using php-fpm, restart that too:

Code: Select all

systemctl restart php-fpm

Then test again and let us know the results.

[joveroc]

Hello,

The first command resolved the issue. The only other problem I had was that I had to re-add the users that were imported via AD. When they logged in they were getting a blank page after authenticating. Recreating the users via import from AD resolved this.

You can close this ticket. Thank you!

[benjaminsmith]

You can close this ticket. Thank you!

Great! Appreciate the update.