Duo SSO with Authentication Proxy: Certificate error

I am receiving the following error when trying to use a certificate with Duo SSO/Active Directory/Authentication Proxy:

There was a problem with the TLS cert. Verify the correct CA certificate was specified. Check the Authentication Proxy logs for additional information.

I have followed these instructions: https://help.duo.com/s/article/2222?language=en_US.

I have an LPADS cert setup with Active Directory Sync- all works there. Tried the same cert working in AD Sync in Duo SSO, and it still fails.

If I switch from using LDAPS to LDAP, all works.

How can I successfully add the cert?

Thanks.

If you have a sync working with LDAPS then you previously exported your DC’s CA chain and pasted it into the “SSL CA Certs” field of your AD sync config.

If you visit your AD sync’s page in the Duo Admin Panel and copy everything in the “SSL CA Certs” field, paste that into a text file, save the text file with .pem as the extension, and then provide that PEM file to the SSO AD Authentication config as the “SSL CA certificate”, does it work?

I have assumed that you are using the same AD domain controller for both AD sync and SSO AD auth.

ETA: did you actually check the Authentication Proxy’s logs as the message suggested? If you still have issues try enabling debug logging on the Authentication Proxy, reproduce the error message, and look at the debug log output on the proxy for more information.

Thanks. I tried copying the cert from AD Sync into a text file, renaming the extension to PEM and uploading the PEM file into SSO/Proxy. This generates the same error.

Yes, same domain controllers in Proxy as in AD Sync.

Here are the logs:

— —
File “duoauthproxy\modules\drpc_plugins\ldap_sso.pyc”, line 1045, in do_ldap_health_check

  File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\ldap\client.pyc", line 879, in perform_bind
    
  File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\ldap\client.pyc", line 747, in perform_bind_sspi
    
  File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\ldap\client.pyc", line 780, in _authorize
    
  File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\ldap\client.pyc", line 815, in _recalculate_buffer_data
    
  File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\ldap\client.pyc", line 1049, in _get_peercert
    
  File "twisted\protocols\tls.pyc", line 232, in _checkHandshakeStatus
    
  File "OpenSSL\SSL.pyc", line 1806, in do_handshake
    
  File "OpenSSL\SSL.pyc", line 1546, in _raise_ssl_error
    
  File "OpenSSL\_util.pyc", line 54, in exception_from_error_queue
    
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

Thoughts?

I looked at the certificate you have configured for your SSO AD Authentication. I see a single cert, your “Offline Root CA”. Is that the issuer of your domain controllers’ certificates, or is there an intermediate CA that actually issued those DC certs? If so, make sure the cert file you upload for SSO AD Auth contains both that “Offline Root CA” cert AND the intermediate CA cert.

ETA: we have this acert tool you can use to get the full CA chain in response. You would use it against one of your DC’s IP addresses like acert.exe -host 10.0.0.2.. -port 636 and the response will show the PEM certs in the full CA chain, which you can copy into the text file you upload as the SSL cert for SSO.

Like, the certificate file you upload would have as many -----BEGIN CERTIFICATE----- infoinfoinfo -----END CERTIFICATE----- sections as there are issuers in the chain.

I used the acert tool to get the certificate for AD Sync. When I use the acert, I get the cert that I uploaded to the Duo admin panel.

Again, using same cert for AD Sync (working) as I am for Proxy (not working).

Since I am pulling the cert using acert, I’m not sure how else to obtain the cert required.

This method also does not work: https://help.duo.com/s/article/2222?language=en_US.

Please advise.

Thanks.

So you only have one enterprise CA, your “Offline Root CA”, and that is the issuer of the certs used by your domain controller?

I suggest you contact Duo Support as the next steps for troubleshooting aren’t suitable for this public forum as they may expose private information. A Duo support engineer can review your certificates and the debug output in detail. Don’t post that info here.