Nagios Support Forum

I have a working Nagios XI (v5.6.12) server in production running enterprise edition. My boss would like a test server so that we don't break alerts on the production server when we test nagios configuration changes.

I've setup the second server (free license mode), updated nagios XI (v5.6.14), updated CentOS with yum and most of Nagios is working fine.

However, I cannot get the user login AD integration working properly. I tried the exact setup as the first server (which is working fine) and I followed the AD nagios guide. When I setup AD integration on the production server, I had problems until I imported the CA cert, then it worked great. I have imported CA cert on second server, but it still won't work properly.

If I choose "import users from AD" and enter my credentials I get this error:
Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

Where is the best log file to troubleshoot this? How do I increase logging level to catch the problem better?

where would you start troubleshooting this?

so I ran this command on both production and test server

openssl s_client -showcerts -connect server-name.domain.tld:636

same results on both servers:
CONNECTED(00000003)
depth=0 CN = server-name.domain.tld
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server-name.domain.tld
verify error:num=21:unable to verify the first certificate
verify return:1

Does importing the CA cert within the Nagios XI GUI store the cert as a CA cert in Linux?

found the solution myself. I have no idea why this is not affecting my production server, but if it happens to production I will know what to do.

used filezilla to copy my CA cert to both of these folders:
/etc/pki/CA/certs
/etc/pki/ca-trust/source/anchors

*Not sure which folder it actually needed to be in.

then I ran this command:
update-ca-trust force-enable

then I tested with openssl:
openssl s_client -showcerts -connect server-name.domain.tld:636

no errors.

tested with Nagiox XI login using AD credentials: successful


CentOS Linux release 7.7.1908 (Core)

That's the second time in the last week I've heard someone needing to do this. I've personally never had to do it on any systems so I'm wondering what the issue actually was as it should work if configured normally (barring any issues). I'm running the same OS/ver as well. You can either leave it (that's a better way to do it for the whole of the system) or we can troubleshoot it. Which would you like to do?

Thank you for posting your resolution!

my production server stopped working this morning for AD logins. I applied the same solution and now it works again.

not sure what the culprit is. I recently enabled automatic security updates via yum-cron.

recent yum package changes:
Mar 09 12:14:15 Updated: nagios-repo-7-4.el7.noarch
Mar 09 12:14:17 Updated: nagiosxi-deps-el7-5.6.12-1.noarch
Mar 09 12:21:17 Installed: xmlsec1-1.2.20-7.el7_4.x86_64
Mar 09 12:21:17 Installed: xmlsec1-openssl-1.2.20-7.el7_4.x86_64
Mar 09 12:21:17 Installed: libmspack-0.5-0.7.alpha.el7.x86_64
Mar 09 12:21:17 Installed: pciutils-3.5.1-3.el7.x86_64
Mar 09 12:21:17 Installed: libdnet-1.12-13.1.el7.x86_64
Mar 09 12:21:18 Installed: libicu-50.2-3.el7.x86_64
Mar 09 12:21:18 Installed: fuse-2.9.2-11.el7.x86_64
Mar 09 12:21:18 Installed: fuse-libs-2.9.2-11.el7.x86_64
Mar 09 12:21:18 Installed: open-vm-tools-10.3.0-2.el7_7.1.x86_64
Apr 20 15:58:21 Installed: yum-cron-3.4.3-163.el7.centos.noarch
Apr 23 06:25:48 Updated: python2-pip.noarch 8.1.2-12.el7
Apr 26 07:36:52 Installed: libtirpc.x86_64 0.2.4-0.16.el7
Apr 26 07:36:54 Installed: python3-libs.x86_64 3.6.8-10.el7
Apr 26 07:36:54 Installed: python3.x86_64 3.6.8-10.el7
Apr 26 07:36:54 Installed: python3-setuptools.noarch 39.2.0-10.el7
Apr 26 07:36:54 Installed: python3-pip.noarch 9.0.3-7.el7_7
Apr 26 07:36:54 Updated: python2-jmespath.noarch 0.9.4-1.el7
Apr 26 07:36:59 Updated: ansible.noarch 2.9.6-3.el7
Apr 29 07:15:32 Updated: ansible.noarch 2.9.7-1.el7

Thanks for posting that.

What version of PHP are you running?