Issues after migrating to a new server

[hbouma]

We are in the process of vetting out a migration of using our TST instance. We have built our RHEL 8 VM's, installed Nagios XI and offloaded the database. Migrated Nagios XI from the old TST server, migrated the Database from the old DB server and performed the same steps listed when offloading the database for editing the files on the Nagios XI server so they point to the new offloaded database.

We have done all the steps listed from https://support.nagios.com/kb/article/m ... r-892.html.

After doing all this, we see that the built in nagiosadmin user can log in, but the remaining named users get an error "Login token was expired, please try again" when attempting to log in.

Nagios XI 5.8.6 on RHEL 8.5 VM with an offloaded DB.

Any assistance would be appreciated.

[hbouma]

We tried an upgrade to Nagios XI 5.8.7, now we are getting an "Invalid username/password" error. We have verified this happens for all our AD integrated users.

Certificates for our AD system are already added into the system.

[pbroste]

Hello @hbouma

Please PM over the System Profile when you get a chance.

Thanks,
Perry

[hbouma]

PM sent.

[pbroste]

Hello @hbouma

Thanks for following up with the System Profile. We don't see any locally defined users or contacts listed within the database and want to work through this first before we tackle issues with the associated Active Directory.

What do you see from your end:

Code: Select all

echo 'select * from xi_users;' | mysql -u root -pnagiosxi nagiosxi

echo 'select * from tbl_contact;' | mysql -u root -pnagiosxi nagiosql

Next, let's optimize the php-fpm:

Code: Select all

/etc/httpd/conf.d/php.conf

Change this specific part (around line 46):

Code: Select all

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch \.(php|phar)$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
    </FilesMatch>
  </IfModule>
</IfModule>


Add this:

Code: Select all

    Timeout 600
    RequestReadTimeout header=600,minrate=50
    RequestReadTimeout body=600,minrate=50
    <Proxy "unix:/run/php-fpm/www.sock|fcgi://localhost">
        ProxySet timeout=600
    </Proxy>

So it looks like this:

Code: Select all

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    Timeout 600
    RequestReadTimeout header=600,minrate=50
    RequestReadTimeout body=600,minrate=50
    <Proxy "unix:/run/php-fpm/www.sock|fcgi://localhost">
        ProxySet timeout=600
    </Proxy>

    <FilesMatch \.(php|phar)$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
    </FilesMatch>
  </IfModule>
</IfModule>

Then edit this file:

Code: Select all

/etc/php-fpm.d/www.conf

Set:

Code: Select all

pm.max_requests = 50

Then restart apache/php-fpm:

Code: Select all

systemctl restart httpd php-fpm

Let me know how things are looking,
Perry

[hbouma]

Hello @hbouma

Thanks for following up with the System Profile. We don't see any locally defined users or contacts listed within the database and want to work through this first before we tackle issues with the associated Active Directory.

What do you see from your end:

Code: Select all

echo 'select * from xi_users;' | mysql -u root -pnagiosxi nagiosxi

echo 'select * from tbl_contact;' | mysql -u root -pnagiosxi nagiosql

I see many users displayed in both commands. I can send you the output if you wish.

Next, let's optimize the php-fpm:

Code: Select all

/etc/httpd/conf.d/php.conf

Change this specific part (around line 46):

Code: Select all

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch \.(php|phar)$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
    </FilesMatch>
  </IfModule>
</IfModule>


Add this:

Code: Select all

    Timeout 600
    RequestReadTimeout header=600,minrate=50
    RequestReadTimeout body=600,minrate=50
    <Proxy "unix:/run/php-fpm/www.sock|fcgi://localhost">
        ProxySet timeout=600
    </Proxy>

So it looks like this:

Code: Select all

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    Timeout 600
    RequestReadTimeout header=600,minrate=50
    RequestReadTimeout body=600,minrate=50
    <Proxy "unix:/run/php-fpm/www.sock|fcgi://localhost">
        ProxySet timeout=600
    </Proxy>

    <FilesMatch \.(php|phar)$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
    </FilesMatch>
  </IfModule>
</IfModule>

This is already present.

Then edit this file:

Code: Select all

/etc/php-fpm.d/www.conf

Set:

Code: Select all

pm.max_requests = 50

Then restart apache/php-fpm:

Code: Select all

systemctl restart httpd php-fpm

This was already set at 50.

Since I didn't actually have any changes to make, there is no change in the behavior.

[pbroste]

Hello @hbouma

Thanks for following up, want to find out why we see "caught SIGWINCH, shutting down gracefully" in your Apache logs.

Code: Select all

sudo yum list --installed > /tmp/yumlist.txt

Code: Select all

ps -aef > /tmp/ps.txt && tar -czvf /tmp/list.tar.gz /tmp/yumlist.txt /tmp/ps.txt /etc/httpd/ /var/log/httpd/*

Please send over the '/tmp/list.tar.gz' when you get a chance.

Thanks,
Perry

[hbouma]

Info sent in a PM

[pbroste]

Hello @hbouma

Thanks for sending the info, keep on seeing proxy-related messages throughout the logs and want to find out if you are going through any proxy or anything security-related.

Because of this: "<Proxy "unix/run/php-fpm/www.sock|fcgi//localhost">" Are you able to ping localhost and if so is it an ipv4 standard address?

Please let us know how that looks, and if that looks alright let's toggle this /usr/local/nagiosxi/html/config.inc.php and restart the Apache by bouncing the service:
Find the following line:

Code: Select all

$cfg['use_https'] = true;

Change to:

Code: Select all

$cfg['use_https'] = false;

To restart Apache:

Code: Select all

systemctl restart httpd

Let us know how things look,
Perry

[hbouma]

All of my checks say we are not using a proxy. echo $http_proxy and echo $https_proxy are not defined. I see nothing in the configuration files for our RHSM, YUM or any other tools indicating a proxy. A wget of http://google.com does not indicate any proxy either.

Are you able to ping localhost and if so is it an ipv4 standard address?

Comes back as 127.0.0.1

Please let us know how that looks, and if that looks alright let's toggle this /usr/local/nagiosxi/html/config.inc.php and restart the Apache by bouncing the service:
Find the following line:

Code: Select all

$cfg['use_https'] = true;

Change to:

Code: Select all

$cfg['use_https'] = false;

To restart Apache:

Code: Select all

systemctl restart httpd

Logins still fail after this change. The only working account is the local nagiosadmin account.

However, we are redirected back to the https page based on the security changes that we made from https://assets.nagios.com/downloads/nag ... s%20XI.pdf