Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2861
Views
0
Helpful
5
Replies

Ca-bundle.crt problems

Go to solution
john.denesha@ctcomp.com
Level 1
Level 1

‎11-08-2018 01:39 PM

I can’t get the proxy server to talk back to Duo. When I run the authentication test I am getting a certificate error. This is a standard install with no custom settings. The only thing I have listed under [main] in the config is to turn on debug. I tried specifying the location of the ca-bundle.crt and that didn’t make a difference. The output from the connectivity_tool log is listed below.

2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#warn] The RADIUS Server has
connectivity problems.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] There are no configuration
problems related to connectivity.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] The Auth Proxy was not able to ping Duo at ■■■■.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] This appears to be because of unreadable or invalid CA certificates passed down by [main]'s http_ca_certs_file configuration option preventing the Auth Proxy from reaching out to Duo. Please refer to any errors above in main’s check to fix this and retry.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#debug] Exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#warn] The Auth Proxy did not run the time drift check because of the problem(s) with the ping check. Resolve that issue and rerun the tester.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] The Auth Proxy was not able to validate the provided API credentials.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] This appears to be because of unreadable or invalid CA certificates passed down by [main]'s http_ca_certs_file configuration option preventing the Auth Proxy from reaching out to Duo. Please refer to any errors above in main’s check to fix this and retry.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#debug] Exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] The Auth Proxy will be able to accept connections on port 1812 on all interfaces
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] -----------------------------

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkorovesisduo
Level 4
Level 4

‎11-09-2018 05:10 AM

Hi, please contact Duo Support for help with your issue.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mkorovesisduo
Level 4
Level 4

‎11-09-2018 05:10 AM

Hi, please contact Duo Support for help with your issue.

0 Helpful

Go to solution
HamR1
Level 1
Level 1

‎08-11-2021 11:52 PM

Can anyone please share the resolution to this? I’m trying to run a trial, so I don’t get support.

TIA

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to HamR1

‎08-12-2021 07:38 AM

Do you receive the exact same messages in the connectivity tool output?

The simplest step is to make sure that the ca-bundle.crt file is readable by the account that runs the Duo proxy service.

Another possibility is if you have SSL inspection in place, where the CA that issues the SSL inspector’s cert isn’t trusted by the proxy so therefore it can’t establish a secured connection to Duo.

Duo, not DUO.
0 Helpful

Go to solution
HamR1
Level 1
Level 1
In response to DuoKristina

‎08-12-2021 04:30 PM

Hello DuoKristina,

Thank you for responding.

Yes, I receive the same messages in the connectivity tool output.

The ca-bundle file inherits the same Windows folder permissions as the authproxy.cfg file, which the Duo Proxy Service seems to be able to read.

There is no SSL inspection in place.

Can you please confirm that my ca-bundle file only needs to include the intermediate CA certificate, followed by the root CA certificate in PEM format, like this?

-----BEGIN CERTIFICATE-----

REDACTED

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

REDACTED

-----END CERTIFICATE-----

And assuming the intermediate CA certificate is the same one the domain controller uses for the LDAPS query, then it should be valid?

Thanks,

Hamish

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to HamR1

‎08-12-2021 04:52 PM

The ca-bundle file is not used at all for LDAP connections made inbound to a proxy running an ldap_server_auto config, nor is it used for LDAP connections made outbound to an AD or LDAP directory server specified in an ad_client section. Its exclusive function is for verifying the connection from the Authentication Proxy to Duo’s cloud service for the 2FA request. There should be no need to add any information about your domain controller cert or CA.

I wonder if you are conflating this original issue with something else? The vast majority of customers never touch or edit the ca_bundle file, because they have no need to do so.

Is your issue that the proxy cannot contact Duo’s server, or that it cannot make an LDAPS or STARTTLS connection to a directory server or establish one with a downstream LDAP client? That puts different output into the authproxy.log or connectivity tool output, and has a different solution.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents