Certificate problems with check_ldap

PRP f.hugh at comcast.net
Sun Oct 16 23:01:17 CEST 2011


Thanks for the info.  You lead me in the right direction.  Once I figured out the format of the default ca-bundle.crt, I added my corporation's intermediate and root certs.  I then added that file and path to the openldap config file as you mention, and I was in business.

-prp

-----Original Message-----
From: Marc-André Doll [mailto:mad at b-care.net] 
Sent: Monday, October 03, 2011 1:45 AM
To: nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] Certificate problems with check_ldap

Hi,

I had this problem once. You have to get your root CA and copy it to your default CA certificates directory on your Nagios server (on RedHat it is /etc/openldap/cacerts) or copy it where ever you want and add the line "TLS_CACERT /path/to/my/root/CA.pem" to your openldap configuration file.

It solved my problem.

Marc-André

On Fri, 2011-09-30 at 18:39 +0000, f.hugh at comcast.net wrote:
> I have been able to get check_ldap to work fine over the clear on port 
> 389.  When I try to use ssl 636 it fails.  It can't verify the cert 
> since it is our own CA and not a comercial CA that signed the cert.
> 
> This is the error I get:
> <SNIP>
> ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Could 
> not bind to the LDAP server </SNIP>
>  
> I am certain that it is the trust of the cert that is the problem.  I 
> have googled this for half the day looking for the method to insert 
> our Root CA as trusted, but have had no luck.  Anyone been able to 
> accomplish this?  Think of it as a self signed cert installad on our 
> AD domain controllers.
>  
> -paul
> 
> ----------------------------------------------------------------------
> -------- All of the data generated in your IT infrastructure is 
> seriously valuable.
> Why? It contains a definitive record of application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________ Nagios-users mailing 
> list Nagios-users at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please 
> include Nagios version, plugin version (-v) and OS when reporting any 
> issue. ::: Messages without supporting info will risk being sent to 
> /dev/null



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list