TLS error -12256:SSL received a malformed Certificate Reques

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
ramsesvp
Posts: 1
Joined: Fri Oct 16, 2015 1:16 am

TLS error -12256:SSL received a malformed Certificate Reques

Post by ramsesvp »

Hello,

Let me start with explaining our setup.

We use a hosting provder that hosts our LDAP server. I don't know its setup or even on what platform it runs.

We run our servers on redhat 6.7. Recently we made the switch from nss_ldap en pam_ldap to sssd. Sssd works perfectly with ldap+tls. However I now get an error in check_ldaps.

This is my commandline:

Code: Select all

/usr/lib64/nagios/plugins/check_ldaps -v -H ldapserver.fqdm -p 636 -b '{{ ldap_dn }}' -P {{ ldap_pwd }} -D '{{ ldap_dn }}' -3
When I run it, I get this output:

Code: Select all

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS error -12256:SSL received a malformed Certificate Request handshake message.
Could not bind to the LDAP server

This is my sssd config:

Code: Select all

[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = DNdeleted 
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://machinesname.fqdn:636
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pub

krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
ldap_schema = rfc2307bis
[domain/easi]
id_provider = ldap
auth_provider = ldap
access_provide = ldap
chpass_provider = ldap

ldap_default_bind_dn = DNdeleted
ldap_uri = ldaps://
ldap_search_base = DNdeleted
enumerate = True
cache_credentials = True

ldap_default_authtok_type = password
ldap_default_authtok = plaintextpassworddeleted

ldap_tls_cacertdir = /etc/openldap/certs/
ldap_tls_cacert= /etc/openldap/cacerts/cacert.pub

ldap_id_use_start_tls = True
ldap_user_search_base = ou=OrgUnit,dc=easi
ldap_deref = Always


debug_level = 5
[sssd]
config_file_version = 2
#reconnection_retries = 3
#sbus_timeout = 30
services = nss, pam, autofs
domains = default, easi

debug_level = 5
[nss]

[pam]

[ssh]

[autofs]
Here also my /etc/openldap/ldap.conf

Code: Select all

SASL_NOCANON    on
URI ldaps://machinename.fqdn:636
BASE DNdeleted
TLS_REQCERT always
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pub
Version numbers:

Code: Select all

Redhat 6.7
Openssl: openssl-1.0.1e-42.el6.x86_64
openldap: openldap-2.4.40-5.el6.x86_64
Nagios_plugin_ldap: nagios-plugins-ldap-2.0.3-3.el6.x86_64
sssd: sssd-1.12.4-47.el6.x86_64
I have the feeling the problem is in the version of openldap. When I downgrade that one it seems to be working again. Is anyone able to help me fix my nagios check?

Regards
Rames van Pinxteren
Last edited by ramsesvp on Thu Mar 31, 2016 8:32 am, edited 2 times in total.
Top
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: TLS error -12256:SSL received a malformed Certificate Re

Post by rkennedy »

I believe the connection is not working properly between TLS and AD. There might be an issue with the newer version requiring a certain version of SSL.

Please check this with the following command openssl s_client -connect ldapserverip:636 -showcerts and output the response back to us.
Former Nagios Employee
Top
Locked

Return to “Open Source Nagios Projects”