Secured LDAP integration failing with "Failed to append CA certificate"

Hi Team,

We are trying grafana with secured LDAP, but we are facing below error:

**lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="Failed to append CA certificate /home/grafana/my_ldap_certs/securityca.crt"**

/etc/grafana/ldap.toml file entries:

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
#[log]
#filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "my.hosturl.com"
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if ldap server supports TLS
use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
#root_ca_cert = "/home/grafana/my_ldap_certs/securityca.crt"

Note: We copied customer provided “securityca.crt” to folder “/home/grafana/my_ldap_certs/” with grafana user. other than this we haven’t done any kind of keystore import via openssl cli command. is it correct?

Please help us to resolve “Failed to append CA certificate /home/grafana/my_ldap_certs/securityca.crt”
Thanks in advance.

–Phani.Chavala

typo, we are using below line acutally.
root_ca_cert = “/home/grafana/my_ldap_certs/securityca.crt”

That error indicates that the contents of the file could not be parsed as a valid PEM certificate. If you open the file in an editor, it should have one or more blocks that start with -----BEGIN CERTIFICATE-----, end with -----END CERTIFICATE-----, and contain base64-encoded data in between.

1 Like

Thanks ‘Dan Cech’ for immense support.

We tried by converting ‘.crt’ file to ‘.pem’ and modified variable root_ca_cert = “/home/grafana/my_ldap_certs/securityca.pem”

command which we used to convert ‘.crt’:
openssl x509 -inform DER -in securityca.crt -out securityca.pem -text

It worked… :slight_smile:
Thank you.