Ldap/AD authentication issue - Certificate Validation error
-
- Posts: 7
- Joined: Fri Aug 27, 2021 10:17 am
Ldap/AD authentication issue - Certificate Validation error
Hello Team,
I have an AD authentication issue after recent changes to our AD server. We had to migrate to a new AD server and update the same in nagios GUI "LDAP / AD Integration Page". After the migration we broke the AD authentication and needed some assistance to fix the same.
Based on several suggestions mentioned in the support forum, I was able to figure out the issue with the ssl certificate. However, I couldn't get it to work.
Any help you can provide would be most appreciated, thank you in advance.
Issue:
[root@nagios ~]# openssl s_client -showcerts -connect nagios.xxx.com:443
CONNECTED(00000003)
depth=0 CN = nagios.xxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nagios.cmc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
[root@nagios ~]# openssl s_client -showcerts -connect ldapserver.xxx.com:636
CONNECTED(00000003)
depth=1 DC = com, DC =xxx, CN = xxx Certificate Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=ldap.xxx.com
i:/DC=com/DC=xxx/CN=xxx Certificate Authority
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgITIwAH5t6nwpGch9t9iQAAAAfm3jANBgkqhkiG9w0BAQsF
ADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDY21jMSYw
I have an AD authentication issue after recent changes to our AD server. We had to migrate to a new AD server and update the same in nagios GUI "LDAP / AD Integration Page". After the migration we broke the AD authentication and needed some assistance to fix the same.
Based on several suggestions mentioned in the support forum, I was able to figure out the issue with the ssl certificate. However, I couldn't get it to work.
Any help you can provide would be most appreciated, thank you in advance.
Issue:
[root@nagios ~]# openssl s_client -showcerts -connect nagios.xxx.com:443
CONNECTED(00000003)
depth=0 CN = nagios.xxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nagios.cmc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
[root@nagios ~]# openssl s_client -showcerts -connect ldapserver.xxx.com:636
CONNECTED(00000003)
depth=1 DC = com, DC =xxx, CN = xxx Certificate Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=ldap.xxx.com
i:/DC=com/DC=xxx/CN=xxx Certificate Authority
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgITIwAH5t6nwpGch9t9iQAAAAfm3jANBgkqhkiG9w0BAQsF
ADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDY21jMSYw
Re: Ldap/AD authentication issue - Certificate Validation er
If your Log Server OS version is RedHat/CentOS/Oracle:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Then test it again and let us know the results.
If your Log Server OS version is Ubuntu/Debian:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Then test it again and let us know the results.
Thank you!
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Code: Select all
/etc/pki/ca-trust/source/anchors/
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
If your Log Server OS version is Ubuntu/Debian:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Code: Select all
/usr/local/share/ca-certificates/
Code: Select all
sudo update-ca-certificates
systemctl restart apache2
Thank you!
-
- Posts: 7
- Joined: Fri Aug 27, 2021 10:17 am
Re: Ldap/AD authentication issue - Certificate Validation er
Thank you ssax for the response.
I copied the CA root certificate to "/etc/pki/ca-trust/source/anchors/" directory and ran those commands. However, I'm still getting the same error.
"
verify error:num=20:unable to get local issuer certificate
"
Is there any way I can clear all the certificates on the nagios server and start from scratch.
Thanks
I copied the CA root certificate to "/etc/pki/ca-trust/source/anchors/" directory and ran those commands. However, I'm still getting the same error.
"
verify error:num=20:unable to get local issuer certificate
"
Is there any way I can clear all the certificates on the nagios server and start from scratch.
Thanks
Re: Ldap/AD authentication issue - Certificate Validation er
Does this validate now? It should have done it system-wide.
- PM me the full sanitized output
Please attach or PM these files as well:
- PM me the full sanitized output
Code: Select all
openssl s_client -showcerts -connect ldapserver.xxx.com:636
Code: Select all
/etc/pki/tls/openssl.cnf
/etc/httpd/conf.d/ssl.conf
/etc/openldap/ldap.conf
-
- Posts: 7
- Joined: Fri Aug 27, 2021 10:17 am
Re: Ldap/AD authentication issue - Certificate Validation er
Hello Ssax,
Just sent you conf file along with the command output.
Thanks.
Just sent you conf file along with the command output.
Thanks.
Re: Ldap/AD authentication issue - Certificate Validation er
I PM'ed you the information for the CA certs you'll need, you need to add both of them following this guide:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Then test it again and let us know the results.
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Code: Select all
/etc/pki/ca-trust/source/anchors/
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
-
- Posts: 7
- Joined: Fri Aug 27, 2021 10:17 am
Re: Ldap/AD authentication issue - Certificate Validation er
Thanks Ssax. I uploaded both CA certificate and was able to successfully validate ldap. However, I'm still having issue authenticating with LDAP or AD server.
I keep on getting "Invalid Credential". I enabled debug as mentioned in the following articles "https://support.nagios.com/kb/article/a ... html#DEBUG" but I'm not getting anything in the logs files.
Thanks
I keep on getting "Invalid Credential". I enabled debug as mentioned in the following articles "https://support.nagios.com/kb/article/a ... html#DEBUG" but I'm not getting anything in the logs files.
Thanks
Re: Ldap/AD authentication issue - Certificate Validation er
If the debug logs aren't working you may be on EL8 (I can't get EL8 to do PHP LDAP debug logging either), what is the output of these commands:
Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.
The server the XI system is pointing at is a Windows Domain Controller, correct?
Login with a regular account, then go to Admin > Manage Users and click the Add Users from AD/LDAP button, type in some domain admin credentials and see if it is able to connect.
Code: Select all
uname -a
cat /etc/*release
php -v
The server the XI system is pointing at is a Windows Domain Controller, correct?
Login with a regular account, then go to Admin > Manage Users and click the Add Users from AD/LDAP button, type in some domain admin credentials and see if it is able to connect.
-
- Posts: 7
- Joined: Fri Aug 27, 2021 10:17 am
Re: Ldap/AD authentication issue - Certificate Validation er
Hello Ssax,
I have sent you PM with all response. Please let me know if you need any further info.
I have sent you PM with all response. Please let me know if you need any further info.
Re: Ldap/AD authentication issue - Certificate Validation er
I do not see the screenshot attached in the PM, please resend this:
Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.
Enable debugging again:
https://support.nagios.com/kb/article/a ... n-600.html
Then run this command as root (and leave it running):
Then try to login/import again and send the full output.
If that still doesn't produce debug output, please create a ticket for this and include a link back to this forum thread so we can get a remote session setup:
https://support.nagios.com/tickets/
Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.
Enable debugging again:
https://support.nagios.com/kb/article/a ... n-600.html
Then run this command as root (and leave it running):
Code: Select all
tail -Fn0 /var/log/httpd/error_log /var/log/httpd/ssl_error_log
If that still doesn't produce debug output, please create a ticket for this and include a link back to this forum thread so we can get a remote session setup:
https://support.nagios.com/tickets/