Page 1 of 1
Unable to authenticate: error:14090086
Posted: Thu Jun 18, 2020 11:04 am
by mccrakem
Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
I have stoodup a new test Nagiosxi Server on CentOS7
When I try and Access the Active Direrctory Users and Computers I get the above error message
The same config works fine on our Red Hat 6 Server
I have attached Screenshots of the
Authentication Server Configuration and the Certificate Authority Management
On the D-OPS-03 Domain Controller the following setting is applied
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"ldapserverintegrity"=dword:00000002
From what I see it looks like it is something to do with the Certificate.
The Server D-OPS-03 is our CA Server
If I change the setting "ldapserverintegrity"=dword:00000002 to 0
and set the Security Setting to None under the Authentication Server then the connection works fine
Re: Unable to authenticate: error:14090086
Posted: Thu Jun 18, 2020 5:00 pm
by cdienger
What are the permissions set to on the ldap directory when you run "ls -alhR /etc/openldap" ? We'd expect them to look something like:
Code: Select all
ls -alhR /etc/openldap/
/etc/openldap/:
total 20K
drwxrwxr-x. 4 apache nagios 4.0K Jun 17 09:53 .
drwxr-xr-x. 85 root root 4.0K Jun 17 15:29 ..
drwxrwxr-x 2 apache nagios 4.0K Jun 17 09:53 cacerts
drwxrwxr-x. 2 apache nagios 4.0K Mar 22 2017 certs
-rw-rw-r-- 1 apache nagios 317 Jun 17 09:53 ldap.conf
/etc/openldap/cacerts:
total 8.0K
drwxrwxr-x 2 apache nagios 4.0K Jun 17 09:53 .
drwxrwxr-x. 4 apache nagios 4.0K Jun 17 09:53 ..
/etc/openldap/certs:
total 72K
drwxrwxr-x. 2 apache nagios 4.0K Mar 22 2017 .
drwxrwxr-x. 4 apache nagios 4.0K Jun 17 09:53 ..
-rw-r--r--. 1 root root 64K May 6 2015 cert8.db
-rw-r--r--. 1 root root 16K May 6 2015 key3.db
-r--------. 1 root root 45 May 6 2015 password
-rw-r--r--. 1 root root 16K May 6 2015 secmod.db
Re: Unable to authenticate: error:14090086
Posted: Fri Jun 19, 2020 2:40 am
by mccrakem
Hi
All the permissions look ok
[root@dwylbopngios02 openssl]# ls -alhR /etc/openldap
/etc/openldap:
total 20K
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 .
drwxr-xr-x. 105 root root 8.0K Jun 18 11:18 ..
drwxrwxr-x 2 apache nagios 29 Jun 19 03:37 cacerts
drwxrwxr-x. 2 apache nagios 120 Jun 19 03:37 certs
-rw-rw-r-- 1 apache nagios 400 Jun 18 09:01 ldap.conf
-rw-rw-r-- 1 apache nagios 400 Jun 18 09:01 ldap.conf.bak
/etc/openldap/cacerts:
total 0
drwxrwxr-x 2 apache nagios 29 Jun 19 03:37 .
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 ..
lrwxrwxrwx 1 apache apache 37 Jun 18 09:51 5eeb716e1945c.0 -> /etc/openldap/certs/5eeb716e1945c.pem
/etc/openldap/certs:
total 76K
drwxrwxr-x. 2 apache nagios 120 Jun 19 03:37 .
drwxrwxr-x. 4 apache nagios 72 Jun 19 03:18 ..
-rw-r--r-- 1 apache apache 2.0K Jun 18 09:51 5eeb716e1945c.crt
-rw-r--r-- 1 apache apache 5.8K Jun 18 09:51 5eeb716e1945c.pem
-rw-r--r--. 1 root root 64K May 3 2018 cert8.db
-rw-r--r--. 1 root root 16K May 3 2018 key3.db
-r--------. 1 root root 45 May 3 2018 password
-rw-r--r--. 1 root root 16K May 3 2018 secmod.db
[root@dwylbopngios02 openssl]#
Re: Unable to authenticate: error:14090086
Posted: Fri Jun 19, 2020 2:43 pm
by cdienger
It's having diffculty getting or matching the cert. Let's get a tcpdump so we can confirm the communication and the ceritificate. Do this on the XI comamnd line:
Code: Select all
yum -y install tcpdump (Cent/RHEL)
apt-get install tcpdump (Deb/Ubuntu)
Code: Select all
tcpdump -s 0 -i any host w.x.y.z -w output.pcap
Where w.x.y.z is the IP address of the DC. Let this run just long enough to try to authenticate and reproduce the error then use CTRL+C to stop it. Please PM me the output.pcap file this creates.
Re: Unable to authenticate: error:14090086
Posted: Mon Jun 22, 2020 2:53 am
by mccrakem
Hi
PM message sent with output.pcap file
Thanks
Re: Unable to authenticate: error:14090086
Posted: Mon Jun 22, 2020 2:04 pm
by cdienger
The file doesn't appear to have made it. Try compressing it and changing the extension to .zip.