Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5483
Views
1
Helpful
2
Replies

"certificate verify failed" when setting up Duo LDAP auth proxy

dee3
Level 1
Level 1

‎12-27-2018 10:20 AM

I’m trying to setup Duo as an LDAP authentication proxy for my OpenLDAP infrastructure but having trouble with the SSL setup. I’ve installed my InCommon CA file (CA for my upstream OpenLDAP servers) on the duo authproxy server but getting this error when I attempt to bind as a user via ldapsearch ldapsearch -h duoauthproxy.my.com -D "uid=my_user,ou=peeps,dc=my,dc=dom,dc=com" -W:

additional info: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

Can anyone tell what I have wrong? The ldapsearch command above succeeds when I connect it to one of my OpenLDAP servers (ldap.my.dom.com). Here’s my authproxy.cfg:

[ad_client]
  host=ldap.my.dom.com
  transport=starttls
  ssl_ca_certs_file=/etc/ssl/certs/InCommonServerCA.pem
  timeout=60
  search_dn=ou=peeps,dc=my,dc=dom,dc=com
  # openldap does not use sAMAccountName
  username_attribute=uid
  service_account_username=my_account
  service_account_password=..redacted..
 
[ldap_server_auto]
  client=ad_client
  ikey=..redacted..
  skey=..redacted..
  api_host=..redacted..
  failmode=safe

Update: I Added a [main] section and debug entries to the config. Here is the output. Looks like Duo is having trouble verifying the upstream LDAP cert. Do I need to add the intermediate bundle or anything? :

2018-12-27T12:53:05-0600 [-] Duo Security Authentication Proxy 2.11.0 - Init Complete
2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] "Certificate verification failed: errno 20 depth=0 subject [('C', 'US'), ('postalCode', 'xxxx06'), ('ST', 'xx'), ('L', 'xxxxxxx'), ('street', 'xxxx xxxxxxxxx xxxx Street'), ('O', 'xxxxxxxxxxxx'), ('OU', 'xxxxxxx'), ('CN', 'ldap.my.dom.com')]"
2018-12-27T12:53:20-0600 [twisted.internet.defer#critical] 
        Traceback (most recent call last):
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 501, in errback
            self._startRunCallbacks(fail)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 568, in _startRunCallbacks
            self._runCallbacks()
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
            current.result = callback(current.result, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1475, in gotResult
            _inlineCallbacks(r, g, status)
        --- <exception caught here> ---
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
            current.result = callback(current.result, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapserver.py", line 88, in _cbLDAPError
            reason.trap(ldaperrors.LDAPException)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 441, in trap
            raise self
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
            result = result.throwExceptionIntoGenerator(g)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
            return g.throw(self.type, self.value, self.tb)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/proxy.py", line 125, in handleUnknown
            handle_msg=True
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
            result = result.throwExceptionIntoGenerator(g)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
            return g.throw(self.type, self.value, self.tb)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/client.py", line 334, in send
            super(ADClientProtocol, self).send(op, controls=controls, handler=handler, handle_msg=handle_msg)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 235, in _checkHandshakeStatus
            self._tlsConnection.do_handshake()
          File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1806, in do_handshake
            
          File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1546, in _raise_ssl_error
            
          File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
            
        OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [DuoAutoLdapServer (TLSMemoryBIOProtocol),0,192.168.136.202] Received extraneous LDAP PDU while resolving a BindRequest: LDAPMessage(id=2L, value=LDAPUnbindRequest())

Update 2: looks like I needed to create a chained cert. Must have missed that in the docs

Labels:
0 Helpful
2 Replies 2

mkorovesisduo
Level 4
Level 4

‎01-02-2019 05:12 AM

Glad to see you were able to resolve your issues.

0 Helpful

manvik
Level 3
Level 3

‎04-12-2021 10:49 AM

Guys, I got the same issue. Nothing to worry.

  1. Just chain the cert files correctly
  2. cert files should be in .pem format
  3. if you are using IP to call AD in authconf file, use ssl_verify_hostname=false

To chain your file follow below steps;

  1. Locate your exported certificates and open them with Notepad or Notepad++.
  • If there are both root and intermediate certificates, append the content of all the certificates into one certificate file with the intermediate certificates at the top, then root certificate at the bottom (i.e. in reverse of the issuing order). An example of the order for a root and 2 intermediate certificates:
    • [Intermediate certificate 2 - issued by Intermediate certificate 1]
    • [Intermediate certificate 1 - issued by Root certificate]
    • [Root certificate]
  1. There should now be a certificate file with the entire issuing certificate chain. This file will allow Duo to trust the certificate chain that issued the SSL certificate used by Active Directory for LDAPS authentication.

Follow this guide, it should work;
https://help.duo.com/s/article/2222?language=en_US

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents