Page 1 of 1
SSL AD integration now working RHEL8
Posted: Wed Feb 16, 2022 6:38 am
by sgomeztd
Hi,
I'm building a new Nagios Server and I'm having problems with the AD integration on a RHEL8. I have copied the LDAP Integration details from our old Nagios server where it works OK (altough is a Centos 6). The certificate for HTTPS work OK.
When I try to import users I get the following error despite having add the root CA and Intermediary certificates added using the GUI. In fact, on the old Server I only have the Root and one of the Intermedaite CA but on this servers I tried to inlude all 5 of our Intermediate CA just in case but that didn't solve it either.
By the way, we are using certificates by our Windows Root CA, these are not comercial certificates.
Code: Select all
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
I added the .pem files using the command "trust anchor certif.pem" as described on the RHEL8 documentation and I can sucesfully run the command
Code: Select all
openssl s_client -showcerts -connect ldap.server:636
I have also tried running direct ldapsearch query but I also get an error stating it cannot find the local issuer certificate despite it being on the server if I run a "trust list" command.
Code: Select all
[root@usclwnagios01 sgomez]# ldapsearch -x -b "DC=domain" -H ldaps://ldap.server -d 1
ldap_url_parse_ext(ldaps://ldap.server)
ldap_create
ldap_url_parse_ext(ldaps://ldap.server:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.100.68.17:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 1, err: 20, subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
We have 5 intermediate Issuers so I end up adding all of them using the "trust anchor" command and to the LDAP Integration section of the GUI.
Re: SSL AD integration now working RHEL8
Posted: Wed Feb 16, 2022 5:49 pm
by kfanselow
Hi sgomeztd,
What do you have set for TLS_CACERTDIR in your /etc/openldap/ldap.conf and what do the file permission look like ?
e.g.
Also appended below for convenience sake is our documentation on using SSL with Active Directory:
https://assets.nagios.com/downloads/nag ... ponent.pdf
Thanks and Best Regards,
Keith
Re: SSL AD integration now working RHEL8
Posted: Thu Feb 17, 2022 5:31 am
by sgomeztd
Hi,
I have /etc/openldap/ldap.conf is the default file, no change made to it.
Code: Select all
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by #TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
TLS_CACERTDIR /etc/openldap/cacerts
The cert symlinks get created correctly on the /etc/openladp/certs when I upload them on the NagiosXI GUI.
Code: Select all
[root@usclwnagios01 ~]# find /etc/openldap/ -ls
100968940 0 drwxrwxr-x 5 apache nagios 65 Feb 17 05:22 /etc/openldap/
327899 4 drwxrwxr-x 2 apache nagios 4096 Feb 16 04:55 /etc/openldap/certs
2226010 4 -rw-r--r-- 1 apache apache 2349 Feb 16 03:43 /etc/openldap/certs/620cb94bab302.crt
2836630 8 -rw-r--r-- 1 apache apache 6424 Feb 16 03:43 /etc/openldap/certs/620cb94bab302.pem
2836644 4 -rw-r--r-- 1 apache apache 1540 Feb 16 03:44 /etc/openldap/certs/620cb9592e5b0.crt
2836645 8 -rw-r--r-- 1 apache apache 4782 Feb 16 03:44 /etc/openldap/certs/620cb9592e5b0.pem
2836648 4 -rw-r--r-- 1 apache apache 2064 Feb 16 04:50 /etc/openldap/certs/620cc8e8a6e0a.crt
2836667 8 -rw-r--r-- 1 apache apache 6061 Feb 16 04:50 /etc/openldap/certs/620cc8e8a6e0a.pem
2270794 4 -rw-r--r-- 1 apache apache 2122 Feb 16 04:55 /etc/openldap/certs/620cca013d2c9.crt
2836670 8 -rw-r--r-- 1 apache apache 6130 Feb 16 04:55 /etc/openldap/certs/620cca013d2c9.pem
2838344 4 -rw-r--r-- 1 apache apache 2468 Feb 16 04:55 /etc/openldap/certs/620cca0e5048d.crt
2838345 8 -rw-r--r-- 1 apache apache 7601 Feb 16 04:55 /etc/openldap/certs/620cca0e5048d.pem
2838346 4 -rw-r--r-- 1 apache apache 2350 Feb 16 04:55 /etc/openldap/certs/620cca1833697.crt
2838347 8 -rw-r--r-- 1 apache apache 6424 Feb 16 04:55 /etc/openldap/certs/620cca1833697.pem
102364493 4 -rw-rw-r-- 1 apache nagios 937 Feb 15 07:19 /etc/openldap/ldap.conf
100968937 0 drwxr-xr-x 2 root root 26 Jan 27 06:50 /etc/openldap/schema
100968938 24 -rw-r--r-- 1 root root 23182 Jan 27 06:50 /etc/openldap/schema/samba.schema
36389776 0 drwxrwxr-x 2 apache nagios 144 Feb 16 04:55 /etc/openldap/cacerts
36389780 0 lrwxrwxrwx 1 apache apache 37 Feb 16 03:43 /etc/openldap/cacerts/620cb94bab302.0 -> /etc/openldap/certs/620cb94bab302.pem
36389782 0 lrwxrwxrwx 1 apache apache 37 Feb 16 03:44 /etc/openldap/cacerts/620cb9592e5b0.0 -> /etc/openldap/certs/620cb9592e5b0.pem
36389783 0 lrwxrwxrwx 1 apache apache 37 Feb 16 04:50 /etc/openldap/cacerts/620cc8e8a6e0a.0 -> /etc/openldap/certs/620cc8e8a6e0a.pem
36389790 0 lrwxrwxrwx 1 apache apache 37 Feb 16 04:55 /etc/openldap/cacerts/620cca013d2c9.0 -> /etc/openldap/certs/620cca013d2c9.pem
36389791 0 lrwxrwxrwx 1 apache apache 37 Feb 16 04:55 /etc/openldap/cacerts/620cca0e5048d.0 -> /etc/openldap/certs/620cca0e5048d.pem
36389792 0 lrwxrwxrwx 1 apache apache 37 Feb 16 04:55 /etc/openldap/cacerts/620cca1833697.0 -> /etc/openldap/certs/620cca1833697.pem
I have been following that document and other related with AD integration and SSL but nothing of was is decribed on them seems to be very useful in this situation.
Re: SSL AD integration now working RHEL8
Posted: Thu Feb 17, 2022 6:16 pm
by ssax
Please edit your
/etc/openldap/ldap.conf and uncomment this line:
So it looks like this:
Then restart apache/php-fpm and test again:
If that still doesn't resolve it, do this:
Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files
Then run these commands:
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
Then test it again.
If that still doesn't resolve it (it should), please send the full output of this command:
- Change your.ad_or_ldap.server before running
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636
Thank you!
Re: SSL AD integration now working RHEL8
Posted: Fri Feb 18, 2022 10:26 am
by sgomeztd
ssax wrote:Please edit your
/etc/openldap/ldap.conf and uncomment this line:
So it looks like this:
Then restart apache/php-fpm and test again:
You are the best!!! Just uncomenting that line and restarting the services was enough and now both ldapsearch command and the NagiosXI AD Import feature works OK
I honestly don't know how my test server that is also a rhel8 have the AD Integration working because that line was not commented either and I realized ldapsearch was not working either :/
Re: SSL AD integration now working RHEL8
Posted: Mon Feb 21, 2022 1:32 pm
by ssax
Do you have the TLS_CACERTDIR setting defined in the /etc/openldap/ldap.conf on the one you didn't have to change? If not, that would likely be why.
I think you can also adjust the apache /etc/httpd/conf.d/ssl.conf to add your CA trust and make it work as well but the system-wide method would be preferred.
Re: SSL AD integration now working RHEL8
Posted: Fri Feb 25, 2022 4:59 am
by sgomeztd
ssax wrote:Do you have the TLS_CACERTDIR setting defined in the /etc/openldap/ldap.conf on the one you didn't have to change? If not, that would likely be why.
The ldap.conf was not edited so it had the default configuration that comes with RHEL8 and that line exist but is commented by default so all I had to do was remove the comment.
Re: SSL AD integration now working RHEL8
Posted: Mon Feb 28, 2022 12:13 pm
by ssax
Okay, that makes sense.
Yeah, the issue is that I think openldap or php-ldap changed the method or something, before it used to work with the system ones without doing that and now it doesn't so it would be required.
Glad it's working, I've had to do this on other systems as well and I've reported it to development.
Let us know when we're okay to lock this up and mark it as resolved.
Thank you!
Re: SSL AD integration now working RHEL8
Posted: Wed Mar 23, 2022 3:16 am
by sgomeztd
All is working fine so mark this post as resolved.