PKI-enabling Nagios

CNickyD · Post by **CNickyD** » Thu Apr 23, 2015 1:42 pm

Hello,

I'm trying to set up PKI authenticated users for Nagios, and I'm finding little to no documentation. I have the setup such that the nagios server does request my cert, but then it says "Forbidden". I know nagios looks for the cert's CN field to authenticate against, and I have that set in cgi.cfg for the various permissions.

I also noticed that nagios.cfg mentioned an object called nagioisusers.cfg that the comment says is the definition for PKI users. But I can't find documentation on how to format that file ANYWHERE. I've tried adding my CN using htpasswd, but I'm pretty sure I don't need to be in that file if I'm using PKI.

Unfortunately, my setup is on another network, so it would be difficult for me to provide snippets of what I've done. But like I said, the server does request my cert - it just doesn't let me in. What could I be overlooking??

Thanks for any help.

jolson · Post by **jolson** » Thu Apr 23, 2015 2:20 pm

Did you come across this document in your search? http://gatwards.org/techblog/pki-enabling-nagios

If so, does following along help at all?

CNickyD · Post by **CNickyD** » Thu Apr 23, 2015 2:38 pm

Yes I did, and no, it didn't help.

jdalrymple · Post by **jdalrymple** » Thu Apr 23, 2015 4:43 pm

I would start by getting your webserver to work with PKI *at all*

This appears to be the best howto I see out there.

Once you've got your html document root working with client certificates then going from there to troubleshoot nagios should be a breeze.

One thing that might be telling about what is currently going wrong is the apache access and error logs. That's where I'd start.

CNickyD · Post by **CNickyD** » Mon Apr 27, 2015 1:46 pm

Well, to answer my own question, it turns out I was using HTTPD 2.2 settings, but running 2.4.

jolson · Post by **jolson** » Mon Apr 27, 2015 1:54 pm

Understood - did you get this fully working?

CNickyD · Post by **CNickyD** » Mon Apr 27, 2015 2:22 pm

Yep, works like a charm.

jolson · Post by **jolson** » Mon Apr 27, 2015 2:22 pm

That's great to hear - would you mind posting how you got this working so that future searchers of this solution might find your post?

CNickyD · Post by **CNickyD** » Mon Apr 27, 2015 2:56 pm

Sure. My ssl_error_log reported: "AH01630: client denied by server configuration". This was a hint that the problem was with httpd and not nagios. I simply googled the error code, and found solutions for httpd 2.2 and httpd 2.4. I didn't realize there could be a version issue. httpd -v showed that I was using 2.4, and that solution showed me that I needed the line Require all granted.

jolson · Post by **jolson** » Mon Apr 27, 2015 2:59 pm

Thank you! I'll lock this thread out - feel free to open another if you have additional questions or issues.

Nagios Support Forum

PKI-enabling Nagios

PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios

Re: PKI-enabling Nagios