0

I have setup a single node AWX instance (Version 2.1.2) using Docker. Unfortunately the LDAP connection doesn't work through the following error message:

WARNING  django_auth_ldap Caught LDAPError while authenticating USERNAME: 
SERVER_DOWN({'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self signed 
certificate in certificate chain)', 'desc': "Can't contact LDAP server"},)

I already downloaded the intermediate cert and added it to the settings.py.

AUTH_LDAP_CONNECTION_OPTIONS = {
     ldap.OPT_REFERRALS: 0,
     ldap.OPT_X_TLS_CACERTFILE: '/etc/pki/ca-trust/source/anchors/generali- 
     ca.pem',
     ldap.OPT_NETWORK_TIMEOUT: 30,
     ldap.OPT_X_TLS_NEWCTX: 0
 }

If I query the API, the changes were in place.

Any idea how to resolve this issue?

Mike
  • 4,041
  • 6
  • 20
  • 37
V.Widmer
  • 21
  • 1
  • 5
  • Hi V.Widmer, welcome to SO. You mention the "intermediate" cert, but have you tried providing the whole chain, all the way up to the self-signed root? You may even experience better luck adding that cert chain to `/etc/ssl/certs/ca-certificates` or whatever CentOS uses, such that `openssl s_client -connect` would connect cleanly – mdaniel Dec 19 '18 at 06:17
  • Hi Matthew. Thank you very much for your input. Your approach actualy solved the issue. Many thanks. – V.Widmer Dec 21 '18 at 09:46

1 Answers1

0

You mention the "intermediate" cert, but it likely needs the whole chain, all the way up to the self-signed root.

Separately, you may even experience better luck adding that cert chain to /etc/ssl/certs/ca-certificates or whatever CentOS uses, such that openssl s_client -connect would connect cleanly. It can reduce the number of places that need to be taught about the upstream CA because the "machine" will trust the CA

mdaniel
  • 31,240
  • 5
  • 55
  • 58