When using the "LDAP / Active Directory Import Users" component in Nagios XI you may receive an error like the following when attempting to login:
Unable to authenticate: TLS error-8179:Peer's Certificate issuer is not recognized.
Issues like these can occur when the certificate you've added to Nagios XI is for a root CA when a subordinate CA is what actually issued the certificate, this subordinate CA certificate will also need to be uploaded.
Resolving the Problem
First step is to remove the existing certificates.
Log into the Nagios XI Web interface
Navigate to Admin > Users > LDAP/AD Integration
Under the Certificate Authority Management section
Delete all the existing certificates by clicking the X icon in the Actions column
Log into your Nagios XI server in an SSH session and execute the following commands:
mkdir -p /etc/openldap/cacerts
chown apache.nagios /etc/openldap /etc/openldap/cacerts /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts
sed -i 's/TLS_CACERTDIR/#TLS_CACERTDIR/g' /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/openldap/ldap.conf
The last step is to restart the Apache service using one of the commands below:
RHEL 7 | CentOS 7 | Oracle Linux 7
systemctl restart httpd.service
Debian | Ubuntu 16/18
systemctl restart apache2.service
Now add all the required CA certificates.
Log into the Nagios XI Web interface
Navigate to Admin > Users > LDAP/AD Integration
Under the Certificate Authority Management section
Click the Add Certificate button
Paste the text from your certificate and then click the Add Certificate button
Once you have completed the above steps the Import Users functionality will work if the CA certificates match the LDAP / Active Directory they are authenticating against.
Final Thoughts
For any support related questions please visit the Nagios Support Forums at:
http://support.nagios.com/forum/
Article ID: 524
Created On: Tue, Jul 26, 2016 at 2:37 AM
Last Updated On: Tue, Feb 9, 2021 at 10:34 AM
Authored by: tlea
Online URL: https://support.nagios.com/kb/article/nagios-xi-ldap-active-directory-import-users-certificate-issues-524.html