07-19-2022 02:57 PM
I am receiving the following error when trying to use a certificate with Duo SSO/Active Directory/Authentication Proxy:
There was a problem with the TLS cert. Verify the correct CA certificate was specified. Check the Authentication Proxy logs for additional information.
I have followed these instructions: https://help.duo.com/s/article/2222?language=en_US.
I have an LPADS cert setup with Active Directory Sync- all works there. Tried the same cert working in AD Sync in Duo SSO, and it still fails.
If I switch from using LDAPS to LDAP, all works.
How can I successfully add the cert?
Thanks.
07-20-2022 06:28 AM
If you have a sync working with LDAPS then you previously exported your DC’s CA chain and pasted it into the “SSL CA Certs” field of your AD sync config.
If you visit your AD sync’s page in the Duo Admin Panel and copy everything in the “SSL CA Certs” field, paste that into a text file, save the text file with .pem as the extension, and then provide that PEM file to the SSO AD Authentication config as the “SSL CA certificate”, does it work?
I have assumed that you are using the same AD domain controller for both AD sync and SSO AD auth.
ETA: did you actually check the Authentication Proxy’s logs as the message suggested? If you still have issues try enabling debug logging on the Authentication Proxy, reproduce the error message, and look at the debug log output on the proxy for more information.
07-20-2022 07:28 AM
Thanks. I tried copying the cert from AD Sync into a text file, renaming the extension to PEM and uploading the PEM file into SSO/Proxy. This generates the same error.
Yes, same domain controllers in Proxy as in AD Sync.
Here are the logs:
— —
File “duoauthproxy\modules\drpc_plugins\ldap_sso.pyc”, line 1045, in do_ldap_health_check
File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
File "duoauthproxy\lib\ldap\client.pyc", line 879, in perform_bind
File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
File "duoauthproxy\lib\ldap\client.pyc", line 747, in perform_bind_sspi
File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
File "duoauthproxy\lib\ldap\client.pyc", line 780, in _authorize
File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
File "duoauthproxy\lib\ldap\client.pyc", line 815, in _recalculate_buffer_data
File "twisted\internet\defer.pyc", line 1443, in _inlineCallbacks
File "twisted\python\failure.pyc", line 500, in throwExceptionIntoGenerator
File "duoauthproxy\lib\ldap\client.pyc", line 1049, in _get_peercert
File "twisted\protocols\tls.pyc", line 232, in _checkHandshakeStatus
File "OpenSSL\SSL.pyc", line 1806, in do_handshake
File "OpenSSL\SSL.pyc", line 1546, in _raise_ssl_error
File "OpenSSL\_util.pyc", line 54, in exception_from_error_queue
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]
Thoughts?
07-20-2022 08:12 AM
I looked at the certificate you have configured for your SSO AD Authentication. I see a single cert, your “Offline Root CA”. Is that the issuer of your domain controllers’ certificates, or is there an intermediate CA that actually issued those DC certs? If so, make sure the cert file you upload for SSO AD Auth contains both that “Offline Root CA” cert AND the intermediate CA cert.
ETA: we have this acert tool you can use to get the full CA chain in response. You would use it against one of your DC’s IP addresses like acert.exe -host 10.0.0.2.. -port 636
and the response will show the PEM certs in the full CA chain, which you can copy into the text file you upload as the SSL cert for SSO.
Like, the certificate file you upload would have as many -----BEGIN CERTIFICATE----- infoinfoinfo -----END CERTIFICATE-----
sections as there are issuers in the chain.
07-20-2022 08:36 AM
I used the acert tool to get the certificate for AD Sync. When I use the acert, I get the cert that I uploaded to the Duo admin panel.
Again, using same cert for AD Sync (working) as I am for Proxy (not working).
Since I am pulling the cert using acert, I’m not sure how else to obtain the cert required.
This method also does not work: https://help.duo.com/s/article/2222?language=en_US.
Please advise.
Thanks.
07-20-2022 10:49 AM
So you only have one enterprise CA, your “Offline Root CA”, and that is the issuer of the certs used by your domain controller?
I suggest you contact Duo Support as the next steps for troubleshooting aren’t suitable for this public forum as they may expose private information. A Duo support engineer can review your certificates and the debug output in detail. Don’t post that info here.
11-26-2024 03:16 AM
You need to put both intermediate cert and root CA cert to the PEM file.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide