z

Commercial Support Clients: Clients with support contracts can get escalated support assistance by visiting Nagios Answer Hub. These forums are for community support services. Although we at Nagios try our best to help out on the forums here, we always give priority support to our support clients.

Issues after migrating to a new server

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.

Re: Issues after migrating to a new server

Postby hbouma » Mon Feb 28, 2022 11:22 am

Ok, as a test, I did a clean install of Nagios XI 5.8.6 on a RHEL 8.5 server. It has no other applications installed.

After installing the server, I did the following:
Add Certificate Authority Management certificates.
Configure the LDAP/AD Authentication Servers.
Added 1 user with only AD authentication allowed.
Tested and failed a login to the AD server.

pbroste wrote:Start tcpdump capture:
Code: Select all
tcpdump -s 0 -i any port <yourldapporthere> -w /tmp/output.pcap


Then run through:
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636


Let's get the curl results from the api:
Code: Select all
curl -k --verbose -XPOST "https://yournagioshostaddresshere/nagiosxi/api/v1/system/authserver?apikey=yourapikeyhere&pretty=1" -d "conn_method=ldap&ldap_host=yourldaphostaddresshere&base_dn=fulldistinguished namehere&security_level=ssl"


Commands have been run. I added a few different additional AD and LDAP authentication servers to test. I still cannot log in from the GUI. The tests I have provided are run using a straight install of Nagios XI with no password changes, no offloading of the database, no changes to any settings other than what was listed above.

I will send you a packet capture via PM.
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby hbouma » Mon Feb 28, 2022 12:08 pm

Also, I was asked by hour Server team to use a new load balanced IP for the AD server. This one connects without issue:
Code: Select all
echo 'DONE' | openssl s_client -showcerts -connect REDACTED:636
CONNECTED(00000003)
depth=3 REDACTED
verify return:1
depth=2 REDACTED
verify return:1
depth=1 REDACTED
verify return:1
depth=0 REDACTED
verify return:1
140652498016064:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2157:
---
Certificate chain
0 s:REDACTED
   i:REDACTED
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
---
Server certificate
subject=REDACTED

issuer=REDACTED

---
No client certificate CA names sent
---
SSL handshake has read 2373 bytes and written 308 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1646067949
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby pbroste » Wed Mar 02, 2022 4:09 pm

Hello @hbouma

We are receiving a RST:
Flags: 0x014 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Warning/Sequence): Connection reset (RST)]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A·R··]


Did you get a chance to reach out to your AD Engineer, to find out what is getting logged in the Events?

Thanks,
Perry
User avatar
pbroste
 
Posts: 1287
Joined: Tue Jun 01, 2021 1:27 pm

Re: Issues after migrating to a new server

Postby hbouma » Fri Mar 04, 2022 3:05 pm

Sorry for the delay. I appear to no longer get notifications when my posts are updated.

We checked out the AD servers, and we see login attempts from my work computer at the time I attempt to authenticate to the Nagios XI web page, but do not see any authentication attempts from the server itself. Is this expected?

2022-03-04 15_03_22-Greenshot image editor.png
You do not have the required permissions to view the files attached to this post.
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby pbroste » Tue Mar 08, 2022 11:35 am

Hello @hbouma

You are correct that we should be event logs on the server when Authentication is attempted. That means that the RST noted in the 'tcpdump' is getting bounced even before it has a chance to log.

Let's turn on some logging:

In your /etc/php.ini find these lines and verify that they are enabled and un-commented:

Code: Select all
log_errors = on
error_log = /var/log/phplogs.log
display_errors = on


Then touch to create:
Code: Select all
touch /var/log/phplogs.log


Restart the Apache by bouncing:
Code: Select all
systemctl restart httpd


Send some logging attempts to capture some logging, please take a look at the '/var/log/phplogs.log'.

Please send over the logging and the output on this: php -r 'phpinfo();'

Thanks,
Perry
User avatar
pbroste
 
Posts: 1287
Joined: Tue Jun 01, 2021 1:27 pm

Re: Issues after migrating to a new server

Postby hbouma » Tue Mar 15, 2022 8:18 am

I have made the changes, but no logs are being written. I will be sending you the php.ini and the phpinfo(); output.
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby hbouma » Thu Mar 17, 2022 10:37 am

Hello,

I haven't heard anything back and just wanted to check in.
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby pbroste » Thu Mar 17, 2022 2:16 pm

Hello @hbouma

Want to find out if we are able to connect directly from the Nagios server os:

Code: Select all
yum install openldap-clients -y


Code: Select all
ldapsearch -x -h <yourldapserver> -p <port> -D <username@yourldapdomainname -W -b "dc=searchbasecompany,dc=local" -s -s sub "(cn=*)"


Please let us know the results,
Perry
User avatar
pbroste
 
Posts: 1287
Joined: Tue Jun 01, 2021 1:27 pm

Re: Issues after migrating to a new server

Postby hbouma » Thu Mar 17, 2022 3:39 pm

LDAP Search from the command line is failing with a complaint about the DH certificate key. I am reaching out from to our server team on this.


Code: Select all
[root@servername~]# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://LOAD_BALANCED_IP -D USER_ACCOUNT -W -b "[i]SEARCH_BASE[/i]" -s sub "(cn=)" -d 999
ldap_url_parse_ext(ldaps://LOAD_BALANCED_IP)
ldap_create
ldap_url_parse_ext(ldaps://LOAD_BALANCED_IP:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP LOAD_BALANCED_IP:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP_ADDRESS
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=263, written=263
CERTIFICATE_INFO
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  16 03 03 00 31                                     ....1
tls_read: want=49, got=49
TLS_INFO
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  16 03 03 06 f2                                     .....
tls_read: want=1778, got=1778
TLS_INFO
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: SUBJECT
TLS certificate verification: Error, unable to get local issuer certificate
tls_read: want=5, got=5
  0000:  16 03 03 02 0f                                     .....
tls_read: want=527, got=527
CERTIFICATE_INFO
TLS trace: SSL_connect:SSLv3/TLS read server certificate
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 28                               ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
hbouma
 
Posts: 481
Joined: Tue Feb 27, 2018 9:31 am

Re: Issues after migrating to a new server

Postby pbroste » Fri Mar 18, 2022 4:35 pm

Hello @hbouma

Thanks for following up with the results we see that the 'ldapsearch' command is unable to look for and get the valid cert. Let's go ahead and add that exception by adding or commenting out:

/etc/openldap/ldap.conf

TLS_REQCERT allow
TLS_CACERT /path/where/cert/is
TLS_REQCERT demand

Thanks,
Perry
User avatar
pbroste
 
Posts: 1287
Joined: Tue Jun 01, 2021 1:27 pm

PreviousNext

Return to Nagios XI

Who is online

Users browsing this forum: No registered users and 5 guests