Nagios Support Forum

The responses:

verify error:num=20:unable to get local issuer certificate
Verify return code: 21 (unable to verify the first certificate)

Usually mean that the CA that signed the certificate used by LDAP isn't imported. Make sure that it is imported under Admin > Users > LDAP/AD Integration > Certificate Authority Management. Sometimes it helps to delete and then import the CA - https://support.nagios.com/kb/article.p ... ategory=38.

This hasn't fixed anything unfortunately. Is there anything else we can try here? Some of our clients are beginning to flag this as an issue as they can't log on so we're getting quite a lot of backlash from it.

All was working fine until we upgraded to 5.6.8. The 5.6.9 release notes list the below, could this be related?

Fixed issue in AD/LDAP certificate management where certificates with binary data couldn't be added [TPS#14690] -JO

14690 addressed an issue that prevented the CA from being loaded under Admin > Users > LDAP/AD Integration on systems using PHP 7+. I don't think this is related to the issue you're seeing, but do either of these apply to your system?

Run the following to gather a packet capture while you try to import users from ldap:
Let this run just long enough to reproduce the problem and use CTRL+C to stop it. Please PM me the output.pcap(zip it first).

I've PM'd the zip file to you.

FYI this isn't just affecting importing users. It means users can't log in (or have to try numerous times to get logged in). As previously mentioned, it fails then occasionally works.

I've experienced this myself on every Nagios instance we have that's been upgraded as of recently.

The certificate that dc2 is responding with appears to have expired. Please see PM highlighting the issue.

Great thanks! Working to get this rectified now. Will post an update shortly

Sounds good. Keep us posted!

You can close this baby up - cert has been renewed on our DC and has fixed the issue.

I appreciate the help!

Glad to hear!