LDAPS, This certificate has already been added
Posted: Wed Feb 05, 2020 5:58 am
Hi,
I am currently in the process of moving our NagiosXI-installation (5.6.5 on CentOS 7 64-bit, manual install).
We have two domain controllers running LDAPS, each with their own self-signed certificate. Thus I wanted to instruct XI to trust both of these certificates.
The first certificate was added without problems, but adding the second certificate gives the error "This certificate has already been added".
I have tried to add other (unrelated) certificates, but they fail as well. I can only have a single certificate registered at a time.
I did some digging in html/includes/components/ldap_ad_integration/ajax.php and I believe this is a permissions-issue.
I found the following in the Apache log:
It appears that the .crt-file can't be written to /etc/openldap/certs, which in turn hinders the creation of the .pem-file and the generation of $hash.
Thus adding the first certificate creates the (broken) symbolig link .0 in cacerts.
Changing the permissions on certs to rwxrwxr-x (was rwxr-xr-x) and the owner to apache:nagios (was root:root) fixed the issue!
Are these the recommended permissions for /etc/openldap/certs?
I am currently in the process of moving our NagiosXI-installation (5.6.5 on CentOS 7 64-bit, manual install).
We have two domain controllers running LDAPS, each with their own self-signed certificate. Thus I wanted to instruct XI to trust both of these certificates.
The first certificate was added without problems, but adding the second certificate gives the error "This certificate has already been added".
I have tried to add other (unrelated) certificates, but they fail as well. I can only have a single certificate registered at a time.
I did some digging in html/includes/components/ldap_ad_integration/ajax.php and I believe this is a permissions-issue.
I found the following in the Apache log:
Code: Select all
PHP Warning: file_put_contents(/etc/openldap/certs/5e3a95b01f15f.crt): failed to open stream: Permission denied in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.phpThus adding the first certificate creates the (broken) symbolig link .0 in cacerts.
Changing the permissions on certs to rwxrwxr-x (was rwxr-xr-x) and the owner to apache:nagios (was root:root) fixed the issue!
Are these the recommended permissions for /etc/openldap/certs?