Couldn't establish connection to :636 PKIX path building failed

EthanBVV · March 26, 2024, 8:12pm

Hi everyone, I’m posting again because last time I was saved so why not a second time! I’ve set up a graylog node, inputs etc with HTTPS with custom certificate but the worry is that I’d also like to put LDAPs for security but when I try a connection by checking verify certificates I get this big error:

Couldn’t establish connection to x.x.x.x:636
An error occurred while attempting to connect to server x.x.x.x:636 IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server /x.x.x. x:636: SSLHandshakeException(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target), ldapSDKVersion=6.0.10, revision=51b3c7fe15cf42d4b2cd3bbd8165ebf759a8277d’))

While my certificate is working everywhere have I forgotten something?
Thank you in advance!

gsmith · March 28, 2024, 2:09am

Hey @EthanBVV

Seems that you LDAP may not like or able to find you certificates. By chance have you upload the correct certificate to your LDAP server?

I assume your self-singed certificates work on graylog using HTTPS and your inputs also?

EthanBVV · March 28, 2024, 5:31am

Hi @gsmith ! So to explain you I imported a wildcards certificate on graylog and yes they work with https + inputs without worries that’s why I do not understand why it can not contact the cert for the ldaps .

Thanks in advance for the answer.

Cordially.

gsmith · March 28, 2024, 9:19pm

Hey @EthanBVV

I assume all the correct ports are opened? Some times its the name used for the connection can be the cause.

While back I had a similar issue using MS AD/DC with wild cards. I’m not sure if this will help your issue but it did for me.

gist.github.com

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45

README.md

# Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

Microsoft active directory servers will default to offer LDAP connections over *unencrypted* connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but *should* work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

- [Create root certificate](#create-root-certificate)
- [Import root certificate into trusted store of domain controller](#import-root-certificate-into-trusted-store-of-domain-controller)

This file has been truncated. show original

EthanBVV · March 28, 2024, 9:56pm

Heyyy ! Thank you for your answers they are a very valuable help for me ports are well open because if I do LDAPs without checking the certificate it communicates well with my AD and currently I connect on Graylog with AD logs in 636. I will look at what you pass me hoping that it works! for info you have in your LDAP authentication you put the ip or the FQDN?

gsmith · March 28, 2024, 10:32pm

We use FQDN here. Our environment maybe different then yours.

frantz · April 2, 2024, 12:31pm

Did you try to import the CA certificate in the Java trust store ?

system · April 16, 2024, 12:32pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error connection for graylog to local ldap server Graylog Central (peer support)	3	1078	September 28, 2021
PKIX path building failed Graylog Central (peer support)	2	2547	March 3, 2018
Graylog-server v4.0.7-1 - sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Graylog Central (peer support)	5	4556	June 8, 2021
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Graylog Central (peer support)	5	2418	June 7, 2023
New Graylog Server with HTTPS Unable To Create New Input Graylog Central (peer support)	8	4717	September 21, 2017

Couldn't establish connection to :636 PKIX path building failed

Related Topics