Nagios Support Forum

Posted: **Mon Dec 13, 2021 4:51 pm**

Trying to setup SSL AD integration and I get the below error. Can you please help resolve it?

Unable to authenticate: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (EE certificate key too weak)

Posted: **Tue Dec 14, 2021 2:43 pm**

What OS/version is your XI system running?

Code: Select all

uname -a
cat /etc/*release
php -v

The SSL settings on the XI system likely don't allow it.

A proper fix would be to regenerate the cert/key on your domain controller with a stronger certificate key to match what the newer XI server OS is requiring but there is likely a method to reduce the security level on the XI server OS (not something I generally recommend but may be needed in certain situations where you can't/don't want to update the domain controller's cert).

PM the full output of this command as well:
- Change X.X.X.X to the IP or DNS name of your domain controller

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect X.X.X.X:636

Posted: **Fri Jan 07, 2022 3:55 pm**

Code: Select all

# cat /etc/*release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
Red Hat Enterprise Linux release 8.5 (Ootpa)
Red Hat Enterprise Linux release 8.5 (Ootpa)
# php -v
PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

How do I reduce the security from an rhel side? I don't want to mess with the domain controller.

ssax wrote:What OS/version is your XI system running?
Code: Select all
uname -a
cat /etc/*release
php -v
The SSL settings on the XI system likely don't allow it.

A proper fix would be to regenerate the cert/key on your domain controller with a stronger certificate key to match what the newer XI server OS is requiring but there is likely a method to reduce the security level on the XI server OS (not something I generally recommend but may be needed in certain situations where you can't/don't want to update the domain controller's cert).

PM the full output of this command as well:
- Change X.X.X.X to the IP or DNS name of your domain controller
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect X.X.X.X:636

Posted: **Fri Jan 07, 2022 8:12 pm**

I'm not sure you'll be able to, you could try doing this:

Code: Select all

update-crypto-policies --set LEGACY 
reboot

See here:

https://access.redhat.com/articles/3666211

Posted: **Tue Feb 01, 2022 2:40 am**

Any updates on this issue? I am running into identical problem on rhel 8. Tried legacy mode update-crypto-policies --set LEGACY. Certificates from the AD seem to be working fine for the rest of the organization.

Posted: **Wed Feb 02, 2022 11:00 am**

@basbb, I claimed the ticket you submitted and requested more information.

@mcockram did that resolve the issue for you or are you still having issues?

Nagios Support Forum

SSL AD Integration

SSL AD Integration

Re: SSL AD Integration

Re: SSL AD Integration

Re: SSL AD Integration

Re: SSL AD Integration

Re: SSL AD Integration