When at the login page trying to auth via LDAPS, I get the following errors:
May 31 01:35:39 monitoring grafana-server: t=2017-05-31T01:35:39+0000 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="LDAP Result Code 200 \"\": read tcp MY_IP:44532->AD_IP:636: read: connection reset by peer" May 31 01:35:39 monitoring grafana-server: t=2017-05-31T01:35:39+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.60.1 time_ms=41 size=53
I’ve tried specifying my organization’s “root_ca_cert” but the error is the same with or without. Relevant ldap config:
[[servers]] host = "MY_AD_SERVER" port = 636 use_ssl = true start_tls = false ssl_skip_verify = false
On the AD server (Windows 2012 R2), the following errors are generated:
Event 36888, Schannel "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205." Event 36874, Schannel "An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client are supported by the server. The SSL connection request has failed."
We use SHA-512 for the root CA certs, and I confirmed with IT that the necessary Windows updates have been applied that allow TLS 1.2 to work with SHA-512.
So here’s what’s confusing me. I can connect from the same machine via openssl without issue.
[vagrant@monitoring ~]$ openssl s_client -connect MY_AD:636 CONNECTED(00000003) depth=2 C = US, O = REMOVED... verify return:1 depth=1 C = US, O = REMOVED... verify return:1 depth=0 verify return:1 --- Certificate chain REMOVED --- Server certificate REMOVED --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 4746 bytes and written 441 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID-ctx: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1496195578 Timeout : 300 (sec) Verify return code: 0 (ok)
Given that, why can’t Grafana connect? And how could I troubleshoot this further? For example, is there any way to get Grafana to show what cipher(s) it’s trying? LDAP logging is already set to debug, and I tried setting Grafana to debug level logging in general, but there wasn’t any extra output for LDAP. This is with Grafana 4.3.1 installed to CentOS 7 via the official repo.