Active directory TLS CA cert install in RHEL8 is broken
Posted: Fri Jun 18, 2021 5:02 am
We have been having problems installing Nagios on a RHEL8 platform instead of the old RHEL6.
I have debugged the h*ll out of the Active Directory TLS connection issues and found alot of work-arounds, but mostly it is just broken. It seems the Nagios uses the wrong hash method to add the certificates to the /etc/openldap/cacerts directory, so the ldap client cannot find the certificates on their certificate hash.
Here is an exerpt of an strace of a openssl s_client execute, where you see what hashes it is looking for:
stat("/etc/openldap/certs/7cee409f.0", {st_mode=S_IFREG|0644, st_size=2463, ...}) = 0
openat(AT_FDCWD, "/etc/openldap/certs/7cee409f.0", O_RDONLY) = 4
stat("/etc/openldap/certs/7cee409f.1", 0x7ffd2aa3cc60) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
stat("/etc/openldap/certs/bc66a2c6.0", {st_mode=S_IFREG|0644, st_size=1857, ...}) = 0
openat(AT_FDCWD, "/etc/openldap/certs/bc66a2c6.0", O_RDONLY) = 4
stat("/etc/openldap/certs/bc66a2c6.1", 0x7ffd2aa3cc60) = -1 ENOENT (No such file or directory)
It seems nagios is not using the openssl rehash command, but insteads its own hash function.
We work-around by using the default server trust store /etc/pki/crt/ca.pem, where the CA certs are added. It would be good to fix this in Nagios, so we dont try to rely on the gui, which will not work - not on RHEL8 any way.
I have debugged the h*ll out of the Active Directory TLS connection issues and found alot of work-arounds, but mostly it is just broken. It seems the Nagios uses the wrong hash method to add the certificates to the /etc/openldap/cacerts directory, so the ldap client cannot find the certificates on their certificate hash.
Here is an exerpt of an strace of a openssl s_client execute, where you see what hashes it is looking for:
stat("/etc/openldap/certs/7cee409f.0", {st_mode=S_IFREG|0644, st_size=2463, ...}) = 0
openat(AT_FDCWD, "/etc/openldap/certs/7cee409f.0", O_RDONLY) = 4
stat("/etc/openldap/certs/7cee409f.1", 0x7ffd2aa3cc60) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
stat("/etc/openldap/certs/bc66a2c6.0", {st_mode=S_IFREG|0644, st_size=1857, ...}) = 0
openat(AT_FDCWD, "/etc/openldap/certs/bc66a2c6.0", O_RDONLY) = 4
stat("/etc/openldap/certs/bc66a2c6.1", 0x7ffd2aa3cc60) = -1 ENOENT (No such file or directory)
It seems nagios is not using the openssl rehash command, but insteads its own hash function.
We work-around by using the default server trust store /etc/pki/crt/ca.pem, where the CA certs are added. It would be good to fix this in Nagios, so we dont try to rely on the gui, which will not work - not on RHEL8 any way.