Grafana x509 Certificate expired for LDAP

kogint · December 15, 2021, 9:28pm

We have a Grafana installation I’ve recently had to take over managing. I’m not all that familiar with it, but it’s rare I have to do much to it.

It was configured for authentication using LDAP, and that is no longer working. Logs indicate that the x509 certificate has expired.

t=2021-12-15T14:40:28-0600 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="LDAP Result Code 200 \"\": x509: certificate has expired or is not yet valid"
t=2021-12-15T14:40:28-0600 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.0.2.100 time_ms=15 size=53 referer=https://our-server-hostname.domain.com/login

We had to renew our DC CA Cert, which I am guessing is what caused this. However that happened several weeks ago, so either this is unrelated, or no one has tried to use Grafana in that time.

If this is the case, how would I go about updating the certificate?

The only domain-related certificate I can find in the server expired back in 2018, so I’m unsure if that is even the cert that LDAP is attempting to use.

System Info:

Debian 8 (Jesse)
v4.4.1 (commit: 6a9f8ca)

Apologies if I’m missing information, let me know if there’s additional info needed and I can provide it.

I appreciate any help anyone can provide.

kogint · December 20, 2021, 4:34pm

I’ve managed to fix it.

For anyone else who runs into this problem, hopefully this will help.

Copy the CA Root Certificate from any AD/LDAP servers you are pointing to in your ldap.toml config.
SSH to the DC as admin and use certutil -ca.cert ca_name.cer Source
Copy all server CA Root Certs to a file and name it whatever name you point to in your ldap.toml.
Copy your new certificate to the /etc/ssl/certs/ directory. Restart Grafana /etc/init.d/grafana-server restart

As a side note: .cer and .pem are interchangeable, no need for any kind of conversion using openssl or certutil. Source

kogint · December 21, 2021, 10:10pm

Since my original reply got removed by the automod, here it is again:

I fixed it.

The summary is download all applicable certs from the CA, combine them into a single .pem file (.crt, .cer, and .pem are interchangeable), load the cert into the Grafana Server wherever it’s stored (/etc/ssl/certs/), make sure the name matches what is in your /etc/grafana/ldap.toml.

Topic		Replies	Views
Grafana / LDAPS / Validate Certificate Grafana	6	5252	June 20, 2020
Secured LDAP integration failing with "Failed to append CA certificate" Grafana ldap	3	3038	June 11, 2018
LDAP auth not working after 4.2 update Authentication ldap , auth	6	2900	January 13, 2021
Set up ldaps results in failed login Configuration	0	516	September 25, 2023
LDAP Authentication failure using SSL Configuration ldap	0	2411	March 23, 2020

Grafana x509 Certificate expired for LDAP

Related topics