Configure SSL cert on Nagios XI

[IT-OPS-SYS]

hi team,

I have followed the instructions as per the below article to Configure ssl on the Nagios server version 5.8.1:

https://assets.nagios.com/downloads/nag ... s%20XI.pdf

We are using digicert as the certificate authority and we have .csr, .csr. and .key in the respective place. we restarted the httpd service also but we could see the web server page.

i could not find errors on /var/log/httpd/error_logs as well. Kindly help.

curl -L cvrmnagiosxi002.ellucian.com -vvv
* About to connect() to cvrmnagiosxi002.ellucian.com port 80 (#0)
* Trying 149.24.164.25...
* Connected to cvrmnagiosxi002.ellucian.com (149.24.164.25) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: cvrmnagiosxi002.ellucian.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 13 May 2021 07:38:50 GMT
< Server: Apache
< Location: https://cvrmnagiosxi002.ellucian.com/
< Content-Length: 221
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host cvrmnagiosxi002.ellucian.com left intact
* Issue another request to this URL: 'https://cvrmnagiosxi002.ellucian.com/'
* Found bundle for host cvrmnagiosxi002.ellucian.com: 0x1ba9c70
* About to connect() to cvrmnagiosxi002.ellucian.com port 443 (#1)
* Trying 149.24.164.25...
* Connection refused
* Failed connect to cvrmnagiosxi002.ellucian.com:443; Connection refused
* Closing connection 1
curl: (7) Failed connect to cvrmnagiosxi002.ellucian.com:443; Connection refused


Moderator's Note: The profile has been shared with the support team but has been removed from the public forum.

[dchurch]

Are you allowing port 443 thru the firewall?

Try opening the port using this command (as root):

Code: Select all

firewall-cmd --permanent --zone=public --add-port=443/tcp

[IT-OPS-SYS]

its done already as it was working properly 1 day before. anything else that i can check.

[root@cvrmnagiosxi002 sunilka]# firewall-cmd --permanent --zone=public --add-port=443/tcp

Warning: ALREADY_ENABLED: 443:tcp
success
[root@cvrmnagagios

errors on the httpd ssl logs:

[Fri May 14 02:15:53.796761 2021] [core:debug] [pid 18959] protocol.c(1280): [client 149.24.38.142:36724] AH00566: request failed: malformed request line
[Fri May 14 02:15:54.806049 2021] [core:debug] [pid 18989] protocol.c(1280): [client 149.24.38.142:36726] AH00566: request failed: malformed request line
[Fri May 14 02:15:54.811401 2021] [core:debug] [pid 18963] protocol.c(1280): [client 149.24.38.142:36728] AH00566: request failed: malformed request line
[Fri May 14 02:15:54.842542 2021] [core:debug] [pid 18960] protocol.c(1280): [client 149.24.38.142:36730] AH00566: request failed: malformed request line
[Fri May 14 02:15:55.851172 2021] [core:debug] [pid 18961] protocol.c(1280): [client 149.24.38.142:36732] AH00566: request failed: malformed request line
[Fri May 14 02:15:55.856543 2021] [core:debug] [pid 20482] protocol.c(1280): [client 149.24.38.142:36734] AH00566: request failed: malformed request line
[Fri May 14 02:15:55.861770 2021] [core:debug] [pid 18962] protocol.c(1280): [client 149.24.38.142:36736] AH00566: request failed: malformed request line
[Fri May 14 02:15:56.871229 2021] [core:debug] [pid 18959] protocol.c(1280): [client 149.24.38.142:36738] AH00566: request failed: malformed request line
[Fri May 14 02:15:56.876387 2021] [core:debug] [pid 18989] protocol.c(1280): [client 149.24.38.142:36740] AH00566: request failed: malformed request line
[Fri May 14 02:15:56.881698 2021] [core:debug] [pid 18963] protocol.c(1280): [client 149.24.38.142:36742] AH00566: request failed: malformed request line

[ssax]

From the system you're running curl from what does this output?

Code: Select all

nmap -Pn -p 443 cvrmnagiosxi002.ellucian.com

Please run this command as root on the XI server and send me the resulting /tmp/HTTPDFILES.zip:

Code: Select all

zip -r /tmp/HTTPDFILES.zip​ /etc/httpd/conf/httpd.conf /etc/httpd/conf.d

PM your latest /var/log/httpd/ssl_error_log as well please.

Thank you!

[dchurch]

What's the output from the following commands?

Code: Select all

curl -L https://cvrmnagiosxi002.ellucian.com -vvv
openssl s_client -connect cvrmnagiosxi002.ellucian.com:443 </dev/null

[IT-OPS-SYS]

root@cvrmnagiosxi002 ~]# nmap -Pn -p 443 cvrmnagiosxi002.ellucian.com

Starting Nmap 6.47 ( http://nmap.org ) at 2021-05-17 02:00 EDT
Nmap scan report for cvrmnagiosxi002.ellucian.com (149.24.164.25)
Host is up (0.000063s latency).
PORT STATE SERVICE
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

[root@cvrmnagiosxi002 ~]# curl -L https://cvrmnagiosxi002.ellucian.com -vvv
* About to connect() to cvrmnagiosxi002.ellucian.com port 443 (#0)
* Trying 149.24.164.25...
* Connected to cvrmnagiosxi002.ellucian.com (149.24.164.25) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.


root@cvrmnagiosxi002 ~]# openssl s_client -connect cvrmnagiosxi002.ellucian.com:443 </dev/null
CONNECTED(00000003)
139642593638208:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1621231325
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
[root@cvrmnagiosxi002 ~]#


Nothing in the ssl_error log but in the httpd/error_log

[Sun May 16 09:30:53.551346 2021] [core:debug] [pid 9145] protocol.c(1280): [client 149.24.38.142:42146] AH00566: request failed: malformed request line
[Sun May 16 09:30:54.560536 2021] [core:debug] [pid 9148] protocol.c(1280): [client 149.24.38.142:42148] AH00566: request failed: malformed request line
[Sun May 16 09:30:54.565732 2021] [core:debug] [pid 11343] protocol.c(1280): [client 149.24.38.142:42150] AH00566: request failed: malformed request line
[Sun May 16 09:30:54.570987 2021] [core:debug] [pid 9147] protocol.c(1280): [client 149.24.38.142:42152] AH00566: request failed: malformed request line
[Sun May 16 09:30:55.580555 2021] [core:debug] [pid 23856] protocol.c(1280): [client 149.24.38.142:42154] AH00566: request failed: malformed request line
[Sun May 16 09:30:55.585767 2021] [core:debug] [pid 9146] protocol.c(1280): [client 149.24.38.142:42156] AH00566: request failed: malformed request line
[Sun May 16 09:30:55.590960 2021] [core:debug] [pid 9144] protocol.c(1280): [client 149.24.38.142:42158] AH00566: request failed: malformed request line
[Sun May 16 09:30:56.630275 2021] [core:debug] [pid 9145] protocol.c(1280): [client 149.24.38.142:42160] AH00566: request failed: malformed request line
[Sun May 16 09:30:56.635587 2021] [core:debug] [pid 9148] protocol.c(1280): [client 149.24.38.142:42162] AH00566: request failed: malformed request line
[Sun May 16 09:30:56.641051 2021] [core:debug] [pid 11343] protocol.c(1280): [client 149.24.38.142:42164] AH00566: request failed: malformed request line
[Sun May 16 09:30:57.650195 2021] [core:debug] [pid 9147] protocol.c(1280): [client 149.24.38.142:42166] AH00566: request failed: malformed request line
[Sun May 16 09:30:57.655490 2021] [core:debug] [pid 23856] protocol.c(1280): [client 149.24.38.142:42168] AH00566: request failed: malformed request line
[Sun May 16 09:30:57.660832 2021] [core:debug] [pid 9146] protocol.c(1280): [client 149.24.38.142:42170] AH00566: request failed: malformed request line
[Sun May 16 09:30:58.670284 2021] [core:debug] [pid 9144] protocol.c(1280): [client 149.24.38.142:42172] AH00566: request failed: malformed request line
[Sun May 16 09:30:58.675653 2021] [core:debug] [pid 9145] protocol.c(1280): [client 149.24.38.142:42174] AH00566: request failed: malformed request line
[Sun May 16 09:30:58.680858 2021] [core:debug] [pid 9148] protocol.c(1280): [client 149.24.38.142:42176] AH00566: request failed: malformed request line
[Sun May 16 09:30:59.690178 2021] [core:debug] [pid 11343] protocol.c(1280): [client 149.24.38.142:42178] AH00566: request failed: malformed request line
[Sun May 16 09:30:59.695435 2021] [core:debug] [pid 9147] protocol.c(1280): [client 149.24.38.142:42180] AH00566: request failed: malformed request line
[Sun May 16 09:30:59.700785 2021] [core:debug] [pid 23856] protocol.c(1280): [client 149.24.38.142:42182] AH00566: request failed: malformed request line
[Sun May 16 09:31:00.709589 2021] [core:debug] [pid 9146] protocol.c(1280): [client 149.24.38.142:42184] AH00566: request failed: malformed request line
[Sun May 16 09:31:00.715028 2021] [core:debug] [pid 9144] protocol.c(1280): [client 149.24.38.142:42186] AH00566: request failed: malformed request line
[Sun May 16 09:31:00.720244 2021] [core:debug] [pid 9145] protocol.c(1280): [client 149.24.38.142:42188] AH00566: request failed: malformed request line
[Sun May 16 09:31:01.737016 2021] [core:debug] [pid 9148] protocol.c(1280): [client 149.24.38.142:42190] AH00566: request failed: malformed request line
[Sun May 16 09:31:01.742270 2021] [core:debug] [pid 11343] protocol.c(1280): [client 149.24.38.142:42192] AH00566: request failed: malformed request line^C


cannot upload the http since The extension zip​ is not allowed.

[IT-OPS-SYS]

please find the HTTPD files.

[dchurch]

This SSL_ERROR_RX_RECORD_TOO_LONG error is due to a protocol mismatch; The supported protocols by the client's OpenSSL version can't negotiate with the server's OpenSSL configuration.

Try changing the lines in ssl.conf from:

Code: Select all

#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol all +TLSv1.2

to

Code: Select all

SSLProtocol all -SSLv2 -SSLv3
#SSLProtocol all +TLSv1.2

Also what's the output from the following command?

Code: Select all

openssl version

Note on SSL and hardening

If you're looking to generate secure Apache+OpenSSL configurations, Mozilla has published an SSL config generator that will help you write your Apache configs: https://mozilla.github.io/server-side-t ... generator/

A good utility to test how secure your SSL certificate, and show device compatibility, is here: https://www.ssllabs.com/ssltest/

[IT-OPS-SYS]

openssl version
OpenSSL 1.1.0f 25 May 2017

[dchurch]

Your httpd configuration got messed up somehow.

/etc/httpd/conf/httpd.conf must include the line:

Code: Select all

IncludeOptional conf.d/*.conf

In order for Nagios XI to work.

I turned this on in your configuration and it started running into syntax errors in /etc/httpd/conf.d/*.conf.

The configurations were modified by someone or something, and broken. They were edited beyond just configuring an SSL certificate and key file.

In lieu of tracking down all the syntax errors in your configuration, I'm attaching the default set of configuration files that exist in /etc/httpd, modified with the exact changes that Nagios XI makes to them when you install Nagios XI 5.8.3 under CentOS 8.