11-08-2018 01:39 PM
I can’t get the proxy server to talk back to Duo. When I run the authentication test I am getting a certificate error. This is a standard install with no custom settings. The only thing I have listed under [main] in the config is to turn on debug. I tried specifying the location of the ca-bundle.crt and that didn’t make a difference. The output from the connectivity_tool log is listed below.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#warn] The RADIUS Server has
connectivity problems.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] There are no configuration
problems related to connectivity.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] The Auth Proxy was not able to ping Duo at ■■■■.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] This appears to be because of unreadable or invalid CA certificates passed down by [main]'s http_ca_certs_file configuration option preventing the Auth Proxy from reaching out to Duo. Please refer to any errors above in main’s check to fix this and retry.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#debug] Exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#warn] The Auth Proxy did not run the time drift check because of the problem(s) with the ping check. Resolve that issue and rerun the tester.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] The Auth Proxy was not able to validate the provided API credentials.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#error] This appears to be because of unreadable or invalid CA certificates passed down by [main]'s http_ca_certs_file configuration option preventing the Auth Proxy from reaching out to Duo. Please refer to any errors above in main’s check to fix this and retry.
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#debug] Exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] The Auth Proxy will be able to accept connections on port 1812 on all interfaces
2018-11-07T16:25:00-0500 [duoauthproxy.lib.log#info] -----------------------------
Solved! Go to Solution.
11-09-2018 05:10 AM
Hi, please contact Duo Support for help with your issue.
11-09-2018 05:10 AM
Hi, please contact Duo Support for help with your issue.
08-11-2021 11:52 PM
Can anyone please share the resolution to this? I’m trying to run a trial, so I don’t get support.
TIA
08-12-2021 07:38 AM
Do you receive the exact same messages in the connectivity tool output?
The simplest step is to make sure that the ca-bundle.crt file is readable by the account that runs the Duo proxy service.
Another possibility is if you have SSL inspection in place, where the CA that issues the SSL inspector’s cert isn’t trusted by the proxy so therefore it can’t establish a secured connection to Duo.
08-12-2021 04:30 PM
Hello DuoKristina,
Thank you for responding.
Yes, I receive the same messages in the connectivity tool output.
The ca-bundle file inherits the same Windows folder permissions as the authproxy.cfg file, which the Duo Proxy Service seems to be able to read.
There is no SSL inspection in place.
Can you please confirm that my ca-bundle file only needs to include the intermediate CA certificate, followed by the root CA certificate in PEM format, like this?
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
And assuming the intermediate CA certificate is the same one the domain controller uses for the LDAPS query, then it should be valid?
Thanks,
Hamish
08-12-2021 04:52 PM
The ca-bundle file is not used at all for LDAP connections made inbound to a proxy running an ldap_server_auto
config, nor is it used for LDAP connections made outbound to an AD or LDAP directory server specified in an ad_client
section. Its exclusive function is for verifying the connection from the Authentication Proxy to Duo’s cloud service for the 2FA request. There should be no need to add any information about your domain controller cert or CA.
I wonder if you are conflating this original issue with something else? The vast majority of customers never touch or edit the ca_bundle file, because they have no need to do so.
Is your issue that the proxy cannot contact Duo’s server, or that it cannot make an LDAPS or STARTTLS connection to a directory server or establish one with a downstream LDAP client? That puts different output into the authproxy.log or connectivity tool output, and has a different solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide