"certificate verify failed" when setting up Duo LDAP auth proxy


#1

I’m trying to setup Duo as an LDAP authentication proxy for my OpenLDAP infrastructure but having trouble with the SSL setup. I’ve installed my InCommon CA file (CA for my upstream OpenLDAP servers) on the duo authproxy server but getting this error when I attempt to bind as a user via ldapsearch ldapsearch -h duoauthproxy.my.com -D "uid=my_user,ou=peeps,dc=my,dc=dom,dc=com" -W:

additional info: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

Can anyone tell what I have wrong? The ldapsearch command above succeeds when I connect it to one of my OpenLDAP servers (ldap.my.dom.com). Here’s my authproxy.cfg:

[ad_client]
  host=ldap.my.dom.com
  transport=starttls
  ssl_ca_certs_file=/etc/ssl/certs/InCommonServerCA.pem
  timeout=60
  search_dn=ou=peeps,dc=my,dc=dom,dc=com
  # openldap does not use sAMAccountName
  username_attribute=uid
  service_account_username=my_account
  service_account_password=..redacted..
 
[ldap_server_auto]
  client=ad_client
  ikey=..redacted..
  skey=..redacted..
  api_host=..redacted..
  failmode=safe

Update: I Added a [main] section and debug entries to the config. Here is the output. Looks like Duo is having trouble verifying the upstream LDAP cert. Do I need to add the intermediate bundle or anything? :

2018-12-27T12:53:05-0600 [-] Duo Security Authentication Proxy 2.11.0 - Init Complete
2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [_ADServiceClientProtocol (TLSMemoryBIOProtocol),client] "Certificate verification failed: errno 20 depth=0 subject [('C', 'US'), ('postalCode', 'xxxx06'), ('ST', 'xx'), ('L', 'xxxxxxx'), ('street', 'xxxx xxxxxxxxx xxxx Street'), ('O', 'xxxxxxxxxxxx'), ('OU', 'xxxxxxx'), ('CN', 'ldap.my.dom.com')]"
2018-12-27T12:53:20-0600 [twisted.internet.defer#critical] 
        Traceback (most recent call last):
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 501, in errback
            self._startRunCallbacks(fail)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 568, in _startRunCallbacks
            self._runCallbacks()
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
            current.result = callback(current.result, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1475, in gotResult
            _inlineCallbacks(r, g, status)
        --- <exception caught here> ---
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 654, in _runCallbacks
            current.result = callback(current.result, *args, **kw)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapserver.py", line 88, in _cbLDAPError
            reason.trap(ldaperrors.LDAPException)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 441, in trap
            raise self
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
            result = result.throwExceptionIntoGenerator(g)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
            return g.throw(self.type, self.value, self.tb)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/proxy.py", line 125, in handleUnknown
            handle_msg=True
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py", line 1416, in _inlineCallbacks
            result = result.throwExceptionIntoGenerator(g)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/python/failure.py", line 491, in throwExceptionIntoGenerator
            return g.throw(self.type, self.value, self.tb)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/ldap/client.py", line 334, in send
            super(ADClientProtocol, self).send(op, controls=controls, handler=handler, handle_msg=handle_msg)
          File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/Twisted-18.7.0-py2.7-linux-x86_64.egg/twisted/protocols/tls.py", line 235, in _checkHandshakeStatus
            self._tlsConnection.do_handshake()
          File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1806, in do_handshake
            
          File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1546, in _raise_ssl_error
            
          File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
            
        OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

2018-12-27T12:53:20-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7fb431054e50>
2018-12-27T12:53:20-0600 [DuoAutoLdapServer (TLSMemoryBIOProtocol),0,192.168.136.202] Received extraneous LDAP PDU while resolving a BindRequest: LDAPMessage(id=2L, value=LDAPUnbindRequest())

Update 2: looks like I needed to create a chained cert. Must have missed that in the docs


#2

Glad to see you were able to resolve your issues.