Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
0
Helpful
0
Replies

RHEL 9 duounix and 'certificate verify failed' error

SteveKK
Level 1
Level 1

‎01-23-2024 03:36 AM

I thought my solution may help others when encountering 'certificate verify failed' errors in the logs.

I am running a RHEL 9 server and have duo_unix-2.0.3-0.el9.x86_64 installed via the official repo. I was struggling to get the Duo prompt to work when connecting over SSH, even though I have multiple other systems with similar configuration working. The main different here was this is my first RHEL 9 instance. In my logs I was seeing errors like:

Failsafe Duo login for 'USERNAME' from 10.10.10.10: Couldn't connect to api-12345678.duosecurity.com: certificate verify failed

This lead me to a KB article, that did not really help me with my solution, since in the documentation page that links to cafile is not mentioned. My next troubleshooting step was checking connectivity from a shell:

$ curl --proxy http://1172.16.0.2:1234/ https://api-12345678.duosecurity.com/auth/v2/ping
curl: (60) SSL certificate problem: CA certificate key too weak

Now I knew why this system was unable to verify the certificate, so next step was a search of the Red Hat knowledge base, which took me to a KB link for a similar issue on RHEL 8. In summary RHEL allows configuration of system wide cryptographic policies which can impact connectivity to third party services. My system was set to use the FUTURE policy. Changing to DEFAULT has resolved my issue:

$ sudo update-crypto-policies --show
FUTURE
$ sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
$ curl --proxy http://1172.16.0.2:1234/ https://api-12345678.duosecurity.com/auth/v2/ping
{"response": {"time": 1706007357}, "stat": "OK"}

After a server reboot, as recommended, I can now log in and receive the Duo push to my mobile phone when using SSH.

Be aware that the above steps weaken the overall security posture of your server, so ensure you still comply with company policies or regulations. Hopefully the above will help others seeing similar errors to identify a solution suitable for their risk profile.

Steve

Labels:
0 Helpful
0 Replies 0
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents