Grafana x509 Certificate expired for LDAP

We have a Grafana installation I’ve recently had to take over managing. I’m not all that familiar with it, but it’s rare I have to do much to it.

It was configured for authentication using LDAP, and that is no longer working. Logs indicate that the x509 certificate has expired.

t=2021-12-15T14:40:28-0600 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="LDAP Result Code 200 \"\": x509: certificate has expired or is not yet valid"
t=2021-12-15T14:40:28-0600 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr= time_ms=15 size=53 referer=

We had to renew our DC CA Cert, which I am guessing is what caused this. However that happened several weeks ago, so either this is unrelated, or no one has tried to use Grafana in that time.

If this is the case, how would I go about updating the certificate?

The only domain-related certificate I can find in the server expired back in 2018, so I’m unsure if that is even the cert that LDAP is attempting to use.

System Info:

  • Debian 8 (Jesse)
  • v4.4.1 (commit: 6a9f8ca)

Apologies if I’m missing information, let me know if there’s additional info needed and I can provide it.

I appreciate any help anyone can provide.

I’ve managed to fix it.

For anyone else who runs into this problem, hopefully this will help.

  • Copy the CA Root Certificate from any AD/LDAP servers you are pointing to in your ldap.toml config.
  • SSH to the DC as admin and use certutil -ca.cert ca_name.cer Source
  • Copy all server CA Root Certs to a file and name it whatever name you point to in your ldap.toml.
  • Copy your new certificate to the /etc/ssl/certs/ directory. Restart Grafana /etc/init.d/grafana-server restart

As a side note: .cer and .pem are interchangeable, no need for any kind of conversion using openssl or certutil. Source

Since my original reply got removed by the automod, here it is again:

I fixed it.

The summary is download all applicable certs from the CA, combine them into a single .pem file (.crt, .cer, and .pem are interchangeable), load the cert into the Grafana Server wherever it’s stored (/etc/ssl/certs/), make sure the name matches what is in your /etc/grafana/ldap.toml.

1 Like