Page 1 of 2
Ldap/AD authentication issue - Certificate Validation error
Posted: Thu Nov 11, 2021 12:08 pm
by kunalbsharma
Hello Team,
I have an AD authentication issue after recent changes to our AD server. We had to migrate to a new AD server and update the same in nagios GUI "LDAP / AD Integration Page". After the migration we broke the AD authentication and needed some assistance to fix the same.
Based on several suggestions mentioned in the support forum, I was able to figure out the issue with the ssl certificate. However, I couldn't get it to work.
Any help you can provide would be most appreciated, thank you in advance.
Issue:
[root@nagios ~]# openssl s_client -showcerts -connect nagios.xxx.com:443
CONNECTED(00000003)
depth=0 CN = nagios.xxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nagios.cmc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
[root@nagios ~]# openssl s_client -showcerts -connect ldapserver.xxx.com:636
CONNECTED(00000003)
depth=1 DC = com, DC =xxx, CN = xxx Certificate Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=ldap.xxx.com
i:/DC=com/DC=xxx/CN=xxx Certificate Authority
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgITIwAH5t6nwpGch9t9iQAAAAfm3jANBgkqhkiG9w0BAQsF
ADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDY21jMSYw
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Thu Nov 11, 2021 3:11 pm
by ssax
If your Log Server OS version is RedHat/CentOS/Oracle:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
Then test it again and let us know the results.
If your Log Server OS version is Ubuntu/Debian:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Code: Select all
sudo update-ca-certificates
systemctl restart apache2
Then test it again and let us know the results.
Thank you!
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Thu Nov 11, 2021 3:36 pm
by kunalbsharma
Thank you ssax for the response.
I copied the CA root certificate to "/etc/pki/ca-trust/source/anchors/" directory and ran those commands. However, I'm still getting the same error.
"
verify error:num=20:unable to get local issuer certificate
"
Is there any way I can clear all the certificates on the nagios server and start from scratch.
Thanks
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Thu Nov 11, 2021 4:11 pm
by ssax
Does this validate now? It should have done it system-wide.
- PM me the full sanitized output
Code: Select all
openssl s_client -showcerts -connect ldapserver.xxx.com:636
Please attach or PM these files as well:
Code: Select all
/etc/pki/tls/openssl.cnf
/etc/httpd/conf.d/ssl.conf
/etc/openldap/ldap.conf
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Thu Nov 11, 2021 4:36 pm
by kunalbsharma
Hello Ssax,
Just sent you conf file along with the command output.
Thanks.
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Fri Nov 12, 2021 11:09 am
by ssax
I PM'ed you the information for the CA certs you'll need, you need to add both of them following this guide:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands as root/sudo:
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
Then test it again and let us know the results.
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Fri Nov 12, 2021 11:15 am
by kunalbsharma
Thanks Ssax. I uploaded both CA certificate and was able to successfully validate ldap. However, I'm still having issue authenticating with LDAP or AD server.
I keep on getting "Invalid Credential". I enabled debug as mentioned in the following articles "
https://support.nagios.com/kb/article/a ... html#DEBUG" but I'm not getting anything in the logs files.
Thanks
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Fri Nov 12, 2021 5:58 pm
by ssax
If the debug logs aren't working you may be on EL8 (I can't get EL8 to do PHP LDAP debug logging either), what is the output of these commands:
Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.
The server the XI system is pointing at is a Windows Domain Controller, correct?
Login with a regular account, then go to Admin > Manage Users and click the Add Users from AD/LDAP button, type in some domain admin credentials and see if it is able to connect.
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Mon Nov 15, 2021 10:08 am
by kunalbsharma
Hello Ssax,
I have sent you PM with all response. Please let me know if you need any further info.
Re: Ldap/AD authentication issue - Certificate Validation er
Posted: Mon Nov 15, 2021 2:58 pm
by ssax
I do not see the screenshot attached in the PM, please resend this:
Please PM me a screenshot of your settings in Admin > LDAP/AD Integration with your AD server settings expanded.
Enable debugging again:
https://support.nagios.com/kb/article/a ... n-600.html
Then run this command as root (and leave it running):
Code: Select all
tail -Fn0 /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then try to login/import again and send the full output.
If that still doesn't produce debug output, please create a ticket for this and include a link back to this forum thread so we can get a remote session setup:
https://support.nagios.com/tickets/