LDAPS woes :-(

Hi everyone,

recently, we had to renew our internal root certificate, and in the course, issue a new certificate for the ldap server. Since then, icinga web can’t connect to said backend anymore:

**Validation Log** Connect using LDAPS NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server supports LDAPS and that the LDAP-Client is configured to accept its certificate. LDAP bind (cn=admin,dc=yworks,dc=home / ***) to ldaps://nas-01.yworks.home:636 failed: Can't contact LDAP server

Icinga is running on a centos system, and I do have imported the new root certificate into the system truststore. Running an ldapsearch from the command line works fine:

ldapsearch -H ldap://nas-01.yworks.home:636 -b "ou=People,dc=yyy,dc=zzz" -x -D "cn=xxx,dc=yyy,dc=zzz" -W

and openssl can also verify the certificate:

openssl s_client -connect nas-01.yworks.home:636

=> Verify return code: 0 (ok)

Restarting icinga hasn’t helped - is there some other place where I need to change something?

Icinga version: 2.14.0-1
Icinga Web: 2.12.0
PHP: 7.3.33

Thanks for any pointer!

Okay, not exactly icinga related, but maybe still useful to someone - please feel free to delete the thread if you think it doesn’t belong here:

On our setup, we use PHP FPM, and I didn’t realize I’d also have to restart the FPM proxy and possibly also the HTTP proxy:

in my case: systemctl restart rh-php73-php-fpm && systemctl restart httpd