Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

LDAP Cert Replacement

https://support.nagios.com/forum/viewtopic.php?t=64470

Page 1 of 1

LDAP Cert Replacement

Posted: Wed Feb 02, 2022 1:23 pm
by Robin_JaCo
Hello Community,

I am replacing the domain cert in the LDAP/Active Directory Integration Configuration section in NagiosXI (Admin -> Users -> LDAP/AD Integration), and when I attempt to import a user the system gives me the following error:

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired)

The old cert expired, but the new one is good for some time.

Our setup:

We are running CentOS 7 64 bit on VMWare.

Troubleshooting steps:

I removed the old cert and rebooted the system (since I wasn't sure which service needed to be restarted).
And I ran a Apply Configuration in case the cert was part of the Config (I know it probably wasn't but I didn't know what else to do).

Any help would be appreciated. My https cert is still in place and working just fine. This is the LDAP cert that allows secure coms to AD for user management.

Thank you,
Robin Huighe

Re: LDAP Cert Replacement

Posted: Thu Feb 03, 2022 1:03 pm
by ssax
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/
Then run these commands:

Code: Select all

update-ca-trust extract
systemctl restart httpd
Then test it again.

If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):

Code: Select all

/etc/openldap/certs/ca.pem
Then add this to your /etc/openldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/ca.pem
Then restart apache and try again:

Code: Select all

systemctl restart httpd
That should do it.

If that still doesn't resolve it (it should), please PM me the output of this command:
- Change your.ad_or_ldap.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

Re: LDAP Cert Replacement

Posted: Thu Feb 03, 2022 4:04 pm
by Robin_JaCo
Thank you ssax.

Manually adding the crt files (btw are renamed base-64 encoded x.509 cer files).
And those commands worked.

My only advice, to those reading along, is that I only needed the new cert file. Ssax's instructions indicated needing the old and new, and that was not the case.

Re: LDAP Cert Replacement

Posted: Fri Feb 04, 2022 1:41 pm
by ssax
Thank you for posting your update, I'm glad it's working! I apologize that I wasn't more clear, I'll try to reword that to be more clear in the future.

For clarity:

You would not want to use the old certs, only all CA certificates that complete the LDAP/AD server certificate's CA signer certificate chain. For example, like if a subordinate CA issued the LDAP/AD certificate you would still still need the Root CA's signer certificate that signed the subordinate CA's signer certificate to complete the chain. The instructions I crafted above tries to be generic to hit both situations (single vs multiple CA certificates in the chain).

Locking and marking as resolved.

Thank you!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited