Hi everyone,
I have been using LDAP to access the AD. It works perfectly:
[[servers]]
host = “1.2.3.4”
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
I would like to use LDAPS:
[[servers]]
host = “1.2.3.4”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
Unfortunately I get the following error message in the log file:
x509: cannot validate certificate for because it doesn’t contain any IP SANs
What is the DC sending me ???
If I set ssl_skip_verify = true then it works.
pooh
June 19, 2020, 10:22pm
2
It’ll very likely be sending you its hostname rather than its IP address.
Put that into the “host =” line and see if it works.
If it still doesn’t, and you can get a copy of the certificate file that’s being
sent, you can use the openssl command to find out what the certificate contains:
openssl x509 -in certificate.crt -text -noout
or
openssl x509 -in certificate.pem -text -noout
That will tell you what identity the certificate claims to be for.
Antony.
Thanks for the hint.
I have given the complete FQDN, but the log says:
t=2020-06-20T00:44:53+0200 lvl=dbug msg=“unable to dial LDAP server” logger=ldap host=DC-01.company.de port=636 error=“LDAP Result Code 200 “Network Error”: x509: certificate signed by unknown authority”
t=2020-06-20T00:44:53+0200 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“LDAP Result Code 200 “Network Error”: x509: certificate signed by unknown authority” remote_addr=10.4.7.51
t=2020-06-20T00:44:53+0200 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.4.7.51 time_ms=971 size=53 referer=https://grafana.company.de/login
Unfortunately I don’t have a copy of the certificate file.
Can I find out the identity via an extended debug in the log file?
pooh
June 20, 2020, 8:40am
4
Thanks for the hint.
I have given the complete FQDN, but the log says:
t=2020-06-20T00:44:53+0200 lvl=dbug msg=“unable to dial LDAP server”
logger=ldap host=DC-01.company.de port=636 error=“LDAP Result Code 200
"Network Error": x509: certificate signed by unknown authority”
Now that’s a completely different error report.
Unfortunately I don’t have a copy of the certificate file.
Can I find out the identity via an extended debug in the log file?
No; the problem is now that the certificate is signed by a CA which is not
recognised by your Grafana server.
Do you have the full OpenSSL packages, including the CA list, installed on
your Grafana machine?
On Debian/Devuan for example, this would be the “ca-certificates” package.
Antony.
I saw it and first looked at the server certificate:
openssl s_client -connect 1.2.3.4:636 -showcerts
Now I know the CA.
But where to put it? Does Grafana use the opennssl library?
Then /etc/pki/tls/certs would be the right directory.
Is the directory correct?
I copied the Windows certificates (*.cer).
Do I need a different format?
The error remains.
Note:
I use CentOS 8.
Thomas.
pooh
June 20, 2020, 11:15am
6
Does Grafana use the opennssl library?
I would expect so, but this is beyond my expertise - maybe someone else can
confirm.
Then /etc/pki/tls/certs would be the right directory.
Is the directory correct?
On my Debian system it’s /etc/ssl/certs
I copied the Windows certificates (*.cer).
Do I need a different format?
I would expect so, yes. I would expect to install a .pem under Linux.
Regards,
Antony.
Hi,
Juhu - it works!
In CentOS 8 /etc/ssl/certs is a link to /etc/pki/tls/certs.
But *.cer files do not like the system so much.
I converted it to *.pem and now everything is running…
Thanks for the help and a nice weekend.
Best regards Thomas.