Hello Community,
I am replacing the domain cert in the LDAP/Active Directory Integration Configuration section in NagiosXI (Admin -> Users -> LDAP/AD Integration), and when I attempt to import a user the system gives me the following error:
Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired)
The old cert expired, but the new one is good for some time.
Our setup:
We are running CentOS 7 64 bit on VMWare.
Troubleshooting steps:
I removed the old cert and rebooted the system (since I wasn't sure which service needed to be restarted).
And I ran a Apply Configuration in case the cert was part of the Config (I know it probably wasn't but I didn't know what else to do).
Any help would be appreciated. My https cert is still in place and working just fine. This is the LDAP cert that allows secure coms to AD for user management.
Thank you,
Robin Huighe
LDAP Cert Replacement
Re: LDAP Cert Replacement
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands:
Then test it again.
If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Then add this to your /etc/openldap/ldap.conf:
Then restart apache and try again:
That should do it.
If that still doesn't resolve it (it should), please PM me the output of this command:
- Change your.ad_or_ldap.server before running
- NOTE: They must have a .crt extension on the files
Code: Select all
/etc/pki/ca-trust/source/anchors/Code: Select all
update-ca-trust extract
systemctl restart httpdIf that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):
Code: Select all
/etc/openldap/certs/ca.pemCode: Select all
TLS_CACERT /etc/openldap/certs/ca.pemCode: Select all
systemctl restart httpdIf that still doesn't resolve it (it should), please PM me the output of this command:
- Change your.ad_or_ldap.server before running
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636-
Robin_JaCo
- Posts: 6
- Joined: Mon Dec 28, 2020 12:51 pm
Re: LDAP Cert Replacement
Thank you ssax.
Manually adding the crt files (btw are renamed base-64 encoded x.509 cer files).
And those commands worked.
My only advice, to those reading along, is that I only needed the new cert file. Ssax's instructions indicated needing the old and new, and that was not the case.
Manually adding the crt files (btw are renamed base-64 encoded x.509 cer files).
And those commands worked.
My only advice, to those reading along, is that I only needed the new cert file. Ssax's instructions indicated needing the old and new, and that was not the case.
Re: LDAP Cert Replacement
Thank you for posting your update, I'm glad it's working! I apologize that I wasn't more clear, I'll try to reword that to be more clear in the future.
For clarity:
You would not want to use the old certs, only all CA certificates that complete the LDAP/AD server certificate's CA signer certificate chain. For example, like if a subordinate CA issued the LDAP/AD certificate you would still still need the Root CA's signer certificate that signed the subordinate CA's signer certificate to complete the chain. The instructions I crafted above tries to be generic to hit both situations (single vs multiple CA certificates in the chain).
Locking and marking as resolved.
Thank you!
For clarity:
You would not want to use the old certs, only all CA certificates that complete the LDAP/AD server certificate's CA signer certificate chain. For example, like if a subordinate CA issued the LDAP/AD certificate you would still still need the Root CA's signer certificate that signed the subordinate CA's signer certificate to complete the chain. The instructions I crafted above tries to be generic to hit both situations (single vs multiple CA certificates in the chain).
Locking and marking as resolved.
Thank you!