Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Error after Certificate updated in LDAP/AD Import Users

https://support.nagios.com/forum/viewtopic.php?t=63848

Page 1 of 1

Error after Certificate updated in LDAP/AD Import Users

Posted: Wed Oct 27, 2021 11:11 am
by FLCUISIT
We recently replaced an expired root certificate in active directory. When we are trying to authenticate via STARTTLS, i get the following error:

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

Checked the certificate on the server with the following command:
openssl s_client -showcerts -connect servername.domain.tld:636 (with our true names) and am not getting any errors.

I have created a workaround which disabled encryption on LDP for the time being, but trying to get down to the root cause and solution.

Re: Error after Certificate updated in LDAP/AD Import Users

Posted: Wed Oct 27, 2021 5:53 pm
by ssax
Please follow these steps and it should resolve it:

If your XI server OS version is RedHat/CentOS/Oracle:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/
Then run these commands:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm
Then test it again.

If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):

Code: Select all

/etc/openldap/certs/ca.pem
Then add this to your /etc/openldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/ca.pem
Then restart apache and try again:

Code: Select all

systemctl restart httpd php-fpm
That should do it.

If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

If your XI server OS version is Ubuntu/Debian:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/usr/local/share/ca-certificates/
Then run these commands:

Code: Select all

sudo update-ca-certificates
systemctl restart apache2
Then test it again.

If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):

Code: Select all

/etc/openldap/certs/ca.pem
Then add this to your /etc/ldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/ca.pem
Then restart apache and try again:

Code: Select all

systemctl restart apache2
That should do it.

If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

Re: Error after Certificate updated in LDAP/AD Import Users

Posted: Thu Oct 28, 2021 8:14 am
by FLCUISIT
That did the trick. Thanks for the help.

Re: Error after Certificate updated in LDAP/AD Import Users

Posted: Fri Oct 29, 2021 10:01 am
by benjaminsmith
That did the trick. Thanks for the help.
Excellent. We'll go ahead close this out, but feel free to contact us again if you have any questions.

Have a great weekend!

--Benjamin
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited