Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

TLS error -12256:SSL received a malformed Certificate Reques

https://support.nagios.com/forum/viewtopic.php?t=35248

Page 1 of 1

TLS error -12256:SSL received a malformed Certificate Reques

Posted: Fri Oct 16, 2015 2:30 am
by ramsesvp
Hello,

Let me start with explaining our setup.

We use a hosting provder that hosts our LDAP server. I don't know its setup or even on what platform it runs.

We run our servers on redhat 6.7. Recently we made the switch from nss_ldap en pam_ldap to sssd. Sssd works perfectly with ldap+tls. However I now get an error in check_ldaps.

This is my commandline:

Code: Select all

/usr/lib64/nagios/plugins/check_ldaps -v -H ldapserver.fqdm -p 636 -b '{{ ldap_dn }}' -P {{ ldap_pwd }} -D '{{ ldap_dn }}' -3
When I run it, I get this output:

Code: Select all

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS error -12256:SSL received a malformed Certificate Request handshake message.
Could not bind to the LDAP server

This is my sssd config:

Code: Select all

[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = DNdeleted 
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://machinesname.fqdn:636
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pub

krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
ldap_schema = rfc2307bis
[domain/easi]
id_provider = ldap
auth_provider = ldap
access_provide = ldap
chpass_provider = ldap

ldap_default_bind_dn = DNdeleted
ldap_uri = ldaps://
ldap_search_base = DNdeleted
enumerate = True
cache_credentials = True

ldap_default_authtok_type = password
ldap_default_authtok = plaintextpassworddeleted

ldap_tls_cacertdir = /etc/openldap/certs/
ldap_tls_cacert= /etc/openldap/cacerts/cacert.pub

ldap_id_use_start_tls = True
ldap_user_search_base = ou=OrgUnit,dc=easi
ldap_deref = Always


debug_level = 5
[sssd]
config_file_version = 2
#reconnection_retries = 3
#sbus_timeout = 30
services = nss, pam, autofs
domains = default, easi

debug_level = 5
[nss]

[pam]

[ssh]

[autofs]
Here also my /etc/openldap/ldap.conf

Code: Select all

SASL_NOCANON    on
URI ldaps://machinename.fqdn:636
BASE DNdeleted
TLS_REQCERT always
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pub
Version numbers:

Code: Select all

Redhat 6.7
Openssl: openssl-1.0.1e-42.el6.x86_64
openldap: openldap-2.4.40-5.el6.x86_64
Nagios_plugin_ldap: nagios-plugins-ldap-2.0.3-3.el6.x86_64
sssd: sssd-1.12.4-47.el6.x86_64
I have the feeling the problem is in the version of openldap. When I downgrade that one it seems to be working again. Is anyone able to help me fix my nagios check?

Regards
Rames van Pinxteren

Re: TLS error -12256:SSL received a malformed Certificate Re

Posted: Fri Oct 16, 2015 1:43 pm
by rkennedy
I believe the connection is not working properly between TLS and AD. There might be an issue with the newer version requiring a certain version of SSL.

Please check this with the following command openssl s_client -connect ldapserverip:636 -showcerts and output the response back to us.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited