Grafana / LDAPS / Validate Certificate

flipp3003 · June 19, 2020, 10:03pm

Hi everyone,

I have been using LDAP to access the AD. It works perfectly:
[[servers]]
host = “1.2.3.4”
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false

I would like to use LDAPS:

[[servers]]
host = “1.2.3.4”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false

Unfortunately I get the following error message in the log file:
x509: cannot validate certificate for because it doesn’t contain any IP SANs

What is the DC sending me ???
If I set ssl_skip_verify = true then it works.

pooh · June 19, 2020, 10:22pm

It’ll very likely be sending you its hostname rather than its IP address.

Put that into the “host =” line and see if it works.

If it still doesn’t, and you can get a copy of the certificate file that’s being
sent, you can use the openssl command to find out what the certificate contains:

openssl x509 -in certificate.crt -text -noout

or
openssl x509 -in certificate.pem -text -noout

That will tell you what identity the certificate claims to be for.

Antony.

flipp3003 · June 19, 2020, 11:12pm

Thanks for the hint.
I have given the complete FQDN, but the log says:

t=2020-06-20T00:44:53+0200 lvl=dbug msg=“unable to dial LDAP server” logger=ldap host=DC-01.company.de port=636 error=“LDAP Result Code 200 “Network Error”: x509: certificate signed by unknown authority”
t=2020-06-20T00:44:53+0200 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“LDAP Result Code 200 “Network Error”: x509: certificate signed by unknown authority” remote_addr=10.4.7.51
t=2020-06-20T00:44:53+0200 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.4.7.51 time_ms=971 size=53 referer=https://grafana.company.de/login

Unfortunately I don’t have a copy of the certificate file.
Can I find out the identity via an extended debug in the log file?

pooh · June 20, 2020, 8:40am

Thanks for the hint.
I have given the complete FQDN, but the log says:

t=2020-06-20T00:44:53+0200 lvl=dbug msg=“unable to dial LDAP server”
logger=ldap host=DC-01.company.de port=636 error=“LDAP Result Code 200
"Network Error": x509: certificate signed by unknown authority”

Now that’s a completely different error report.

Unfortunately I don’t have a copy of the certificate file.
Can I find out the identity via an extended debug in the log file?

No; the problem is now that the certificate is signed by a CA which is not
recognised by your Grafana server.

Do you have the full OpenSSL packages, including the CA list, installed on
your Grafana machine?

On Debian/Devuan for example, this would be the “ca-certificates” package.

Antony.

flipp3003 · June 20, 2020, 10:43am

I saw it and first looked at the server certificate:
openssl s_client -connect 1.2.3.4:636 -showcerts

Now I know the CA.

But where to put it? Does Grafana use the opennssl library?
Then /etc/pki/tls/certs would be the right directory.
Is the directory correct?

I copied the Windows certificates (*.cer).
Do I need a different format?
The error remains.

Note:
I use CentOS 8.

Thomas.

pooh · June 20, 2020, 11:15am

Does Grafana use the opennssl library?

I would expect so, but this is beyond my expertise - maybe someone else can
confirm.

Then /etc/pki/tls/certs would be the right directory.
Is the directory correct?

On my Debian system it’s /etc/ssl/certs

I copied the Windows certificates (*.cer).
Do I need a different format?

I would expect so, yes. I would expect to install a .pem under Linux.

Regards,

Antony.

flipp3003 · June 20, 2020, 2:30pm

Hi,

Juhu - it works!

In CentOS 8 /etc/ssl/certs is a link to /etc/pki/tls/certs.

But *.cer files do not like the system so much.
I converted it to *.pem and now everything is running…

Thanks for the help and a nice weekend.
Best regards Thomas.