Ldap/AD authentication issue - Certificate Validation error

[kunalbsharma]

Hello Team,

I have an AD authentication issue after recent changes to our AD server. We had to migrate to a new AD server and update the same in nagios GUI "LDAP / AD Integration Page". After the migration we broke the AD authentication and needed some assistance to fix the same.

Based on several suggestions mentioned in the support forum, I was able to figure out the issue with the ssl certificate. However, I couldn't get it to work.

Any help you can provide would be most appreciated, thank you in advance.

Issue:
[root@nagios ~]# openssl s_client -showcerts -connect nagios.xxx.com:443
CONNECTED(00000003)
depth=0 CN = nagios.xxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nagios.cmc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
[root@nagios ~]# openssl s_client -showcerts -connect ldapserver.xxx.com:636
CONNECTED(00000003)
depth=1 DC = com, DC =xxx, CN = xxx Certificate Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=ldap.xxx.com
i:/DC=com/DC=xxx/CN=xxx Certificate Authority
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgITIwAH5t6nwpGch9t9iQAAAAfm3jANBgkqhkiG9w0BAQsF
ADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDY21jMSYw

[ssax]

If your Log Server OS version is RedHat/CentOS/Oracle:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run these commands as root/sudo:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm

Then test it again and let us know the results.


If your Log Server OS version is Ubuntu/Debian:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/usr/local/share/ca-certificates/

Then run these commands as root/sudo:

Code: Select all

sudo update-ca-certificates
systemctl restart apache2

Then test it again and let us know the results.


Thank you!

[kunalbsharma]

Thank you ssax for the response.


I copied the CA root certificate to "/etc/pki/ca-trust/source/anchors/" directory and ran those commands. However, I'm still getting the same error.
"
verify error:num=20:unable to get local issuer certificate
"

Is there any way I can clear all the certificates on the nagios server and start from scratch.

Thanks

[ssax]

Does this validate now? It should have done it system-wide.
- PM me the full sanitized output

Code: Select all

openssl s_client -showcerts -connect ldapserver.xxx.com:636

Please attach or PM these files as well:

Code: Select all

/etc/pki/tls/openssl.cnf
/etc/httpd/conf.d/ssl.conf
/etc/openldap/ldap.conf

[kunalbsharma]

Hello Ssax,

Just sent you conf file along with the command output.

Thanks.

[ssax]

I PM'ed you the information for the CA certs you'll need, you need to add both of them following this guide:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run these commands as root/sudo:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm

Then test it again and let us know the results.

[kunalbsharma]

Thanks Ssax. I uploaded both CA certificate and was able to successfully validate ldap. However, I'm still having issue authenticating with LDAP or AD server.

I keep on getting "Invalid Credential". I enabled debug as mentioned in the following articles "https://support.nagios.com/kb/article/a ... html#DEBUG" but I'm not getting anything in the logs files.

Thanks

[ssax]

If the debug logs aren't working you may be on EL8 (I can't get EL8 to do PHP LDAP debug logging either), what is the output of these commands:

Code: Select all

uname -a
cat /etc/*release
php -v

Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.

The server the XI system is pointing at is a Windows Domain Controller, correct?

Login with a regular account, then go to Admin > Manage Users and click the Add Users from AD/LDAP button, type in some domain admin credentials and see if it is able to connect.

[kunalbsharma]

Hello Ssax,

I have sent you PM with all response. Please let me know if you need any further info.

[ssax]

I do not see the screenshot attached in the PM, please resend this:

Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.

Enable debugging again:

https://support.nagios.com/kb/article/a ... n-600.html

Then run this command as root (and leave it running):

Code: Select all

tail -Fn0 /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Then try to login/import again and send the full output.

If that still doesn't produce debug output, please create a ticket for this and include a link back to this forum thread so we can get a remote session setup:

https://support.nagios.com/tickets/