Certificate problems with check_ldap
PRP
f.hugh at comcast.net
Sun Oct 16 23:01:17 CEST 2011
Thanks for the info. You lead me in the right direction. Once I figured out the format of the default ca-bundle.crt, I added my corporation's intermediate and root certs. I then added that file and path to the openldap config file as you mention, and I was in business.
-prp
-----Original Message-----
From: Marc-André Doll [mailto:mad at b-care.net]
Sent: Monday, October 03, 2011 1:45 AM
To: nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] Certificate problems with check_ldap
Hi,
I had this problem once. You have to get your root CA and copy it to your default CA certificates directory on your Nagios server (on RedHat it is /etc/openldap/cacerts) or copy it where ever you want and add the line "TLS_CACERT /path/to/my/root/CA.pem" to your openldap configuration file.
It solved my problem.
Marc-André
On Fri, 2011-09-30 at 18:39 +0000, f.hugh at comcast.net wrote:
> I have been able to get check_ldap to work fine over the clear on port
> 389. When I try to use ssl 636 it fails. It can't verify the cert
> since it is our own CA and not a comercial CA that signed the cert.
>
> This is the error I get:
> <SNIP>
> ldap_bind: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Could
> not bind to the LDAP server </SNIP>
>
> I am certain that it is the trust of the cert that is the problem. I
> have googled this for half the day looking for the method to insert
> our Root CA as trusted, but have had no luck. Anyone been able to
> accomplish this? Think of it as a self signed cert installad on our
> AD domain controllers.
>
> -paul
>
> ----------------------------------------------------------------------
> -------- All of the data generated in your IT infrastructure is
> seriously valuable.
> Why? It contains a definitive record of application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________ Nagios-users mailing
> list Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please
> include Nagios version, plugin version (-v) and OS when reporting any
> issue. ::: Messages without supporting info will risk being sent to
> /dev/null
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list