Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

AD authentication certificate issues.

https://support.nagios.com/forum/viewtopic.php?t=61755

Page 1 of 1

AD authentication certificate issues.

Posted: Mon Feb 22, 2021 11:20 am
by joveroc
Hello,

I am having some problems with our AD authentication. We had to restore from backup and now AD authentication is not working. The error seems to be related to the certificate validity when I try to import users.

Code: Select all

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
I have removed and re-uploaded the certificate from our CA per the NagiosXI documentation and have had no luck. AD authentication was working prior to the restore.

Code: Select all

openssl s_client -showcerts -connect x.x.x.x:636 </dev/null
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
Any help would be appreciated.

Thanks,
Chris

Re: AD authentication certificate issues.

Posted: Mon Feb 22, 2021 7:29 pm
by ssax
Please PM me the full output of this command:

Code: Select all

openssl s_client -showcerts -connect x.x.x.x:636 </dev/null
What OS/version are you running?

Code: Select all

uname -a
cat /etc/*release
Please enable debug logging via this guide and send the debug log output:

https://support.nagios.com/kb/article/a ... n-600.html

Send the output of these commands as well:

Code: Select all

ls -ld /etc/openldap
ls -l /etc/openldap
ls -l /etc/openldap/certs
ls -l /etc/openldap/cacerts
cat /etc/openldap/ldap.conf

Re: AD authentication certificate issues.

Posted: Tue Feb 23, 2021 9:29 am
by joveroc
PM sent.

Re: AD authentication certificate issues.

Posted: Wed Feb 24, 2021 5:17 pm
by ssax
Try adding this to your /etc/openldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/6033c0f9c486e.pem
Then restart apache:

Code: Select all

systemctl restart httpd
If you're using php-fpm, restart that too:

Code: Select all

systemctl restart php-fpm
Then test again.

If that doesn't work:

Please try adding your CA certificate (not the DCs cert) to:

Code: Select all

/etc/pki/ca-trust/source/anchors/
Then run this command:

Code: Select all

update-ca-trust extract
Then edit this file:

Code: Select all

/etc/openldap/ldap.conf
Add this (replacing the other):

Code: Select all

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
Then restart apache:

Code: Select all

systemctl restart httpd
If you're using php-fpm, restart that too:

Code: Select all

systemctl restart php-fpm
Then test again and let us know the results.

Re: AD authentication certificate issues.

Posted: Thu Feb 25, 2021 9:19 am
by joveroc
Hello,

The first command resolved the issue. The only other problem I had was that I had to re-add the users that were imported via AD. When they logged in they were getting a blank page after authenticating. Recreating the users via import from AD resolved this.

You can close this ticket. Thank you!

Re: AD authentication certificate issues.

Posted: Fri Feb 26, 2021 11:27 am
by benjaminsmith
You can close this ticket. Thank you!
Great! Appreciate the update.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited