Error Encountered in Setting Up External LDAP Authentication in Red Hat Satellite 6 due to Weak SSL Certificate Key

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • What is causing the certificate verify failed error during LDAP server authentication?

  • How does the SSL connection error certificate verify failed (EE certificate key too weak) impact the LDAP authentication process?

  • What steps can be taken to resolve the certificate verify failed (EE certificate key too weak) error during the external LDAP authentication setup in Red Hat Satellite 6?

  • LDAPS authentication has failed due to SSL issues, specifically the weak EE certificate key.

  • The Red Hat Satellite LDAP authentication encounters an error related to the weak EE certificate key.

  • Following an in-place upgrade from RHEL 7 to RHEL 8, the Red Hat satellite server now prevents login via the satellite WebUI using domain accounts and LDAP.

     ERF77-6997 [Foreman::LdapException]: Error while connecting to 'Org-server' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (EE certificate key too weak))

     ERF50-1006 [Foreman::WrappedException]: Unable to connect to LDAP server ([Net::LDAP::Error]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (EE certificate key too weak))

Resolution

  • The occurrence of the error message (EE certificate key too weak) is typically attributed to the utilization of a public key less than 2048-bit, which falls short of contemporary cryptographic security standards. RHEL 8, in its commitment to heightened security protocols, may trigger this error when encountering encryption parameters deemed insufficient, such as a 1024-bit key. To address this issue and fortify security, it is strongly recommended to adopt more robust encryption methods, with a preference for 4096-bit or higher keys.

  • The introduction of Crypto Policies in RHEL 8 signifies a pivotal shift towards stronger cryptographic standards. Default configurations now align with the SHA-4096 certificate for Active Directory/LDAP servers, as highlighted in the Red Hat article on strong crypto defaults and the deprecation of weak crypto algorithms.

  • If you are configuring Active Directory authentication with TLS on Red Hat Satellite 6, the guidance provided in the document is instrumental.

  • To ensure compliance with industry standards, it is imperative to adhere to stronger cryptographic algorithms and key lengths in line with the Federal Information Processing Standards (FIPS) guidelines. Upgrading the server's public key to meet FIPS policy requirements is a proactive measure to uphold the mandated security standards.

  • For comprehensive troubleshooting of Red Hat Satellite 6.x authentication issues, the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues provides valuable insights.

Root Cause

  • The FIPS DEFAULT crypto policy requires a server's public key to be at least 2048 bits long. It is crucial to adhere to these standards to ensure system security and data integrity. For compliance, it is recommended to upgrade the server's key length to meet FIPS policy requirements.

  • Consult Certificate Authority for new CA-signed certificates compatible with FIPS.

Diagnostic Steps

  • Below error observed in /var/log/foreman/production.log.

    2024-12-18T10:31:27 [I|app|e57fa8ae] Backtrace for 'ERF77-1006 [Foreman::LdapException]: Error while connecting to 
'XXX_DomainControllers' LDAP server at 'satellite.example.com' during authentication ([Net::LDAP::Error]: 
SSL_connect returned=1 errno=0 state=error: certificate verify failed (EE certificate key too weak))' error 
(Foreman::LdapException): ERF77-1006 [Foreman::LdapException]: Error while connecting to 'XXX_DomainControllers' 
LDAP server at 'satellite.example.com' during authentication ([Net::LDAP::Error]: SSL_connect returned=1 errno=0 
state=error: certificate verify failed (EE certificate key too weak))
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.