Issues after migrating to a new server

[hbouma]

Ok, got it fixed. The issue appears to be entirely related to some FIPS fun and a new verison of openldap on RHEL 8 vs RHEL 7.

These are the steps I had to run to fix it.
edit the /etc/openldap/ldap.conf to uncomment the following line:

Code: Select all

TLS_CACERT      /etc/pki/tls/cert.pem

run the following commands:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm
update-crypto-policies --set LEGACY
reboot

[hbouma]

Well, I spoke too soon. I got everything working, migrated my data using the instructions from Nagios, copied the data to the new offloaded database, redid the passwords and then started the service. Everything starts, the database is working fine, but I get this error whenever I try to log in. This is from the /var/log/php-fpm/www-error.log:

Code: Select all

[22-Mar-2022 10:00:41 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:06:14 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:08:16 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:13:26 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:17:03 US/Eastern] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:17:05 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:22:33 US/Eastern] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:23:58 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:24:23 US/Eastern] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:36:52 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:52:24 US/Eastern] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 13:28:58 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 13:42:27 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 13:44:40 US/Eastern] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 13:44:40 US/Eastern] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641


[pbroste]

Hello @hbouma

Crazy, how things like this happen one minute it is working and the next tweak breaks it. If only we can figure out what changed.

Looking at line 641 in 'src/adLDAP.php' the following:

if ($this->useTLS) {
641 ldap_start_tls($this->ldapConnection);
642 }

Looking back through the support forum posts and I see that we had flipped and flopped configs in '/etc/ldap/ldap.conf' to the point I am not sure what worked? In the previous post you stated that you had things functioning with the following quote:

@hbouma said; Ok, got it fixed. The issue appears to be entirely related to some FIPS fun and a new verison of openldap on RHEL 8 vs RHEL 7.

These are the steps I had to run to fix it.
edit the /etc/openldap/ldap.conf to uncomment the following line:

Code: Select all

TLS_CACERT      /etc/pki/tls/cert.pem

Looking at others that had similar issues they referenced permissions:

workaround, try editing /etc/ldap/ldap.conf and/or /etc/openldap/ldap.confand and add the line:

Also
i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.

/etc/openldap/cacerts. Check the permissions:

Code: Select all

ls -alh /etc/openldap/cacerts

and set:

Code: Select all

chown apache:nagios /etc/openldap/cacerts
chmod 775 /etc/openldap/cacerts

#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /cacerts


Also in a previous post we had you uncomment the following:
/etc/openldap/ldap.conf adding:

Code: Select all

TLS_REQCERT allow

We also updated the TLS_CACERT line which means we need to confirm the cert.pem is correct in your /etc/openldap/ldap.conf:

#TLS_CACERT /etc/pki/tls/cert.pem


So it looks like this:

CODE: SELECT ALL
TLS_CACERT /etc/pki/tls/cert.pem

Then restart apache/php-fpm and test again and see if that resolves the issue.

You made a comment in the previous post regarding FIPS, and circling back we looked at the following:

systemctl restart httpd php-fpm

Previously we had you pull the crypto-policies and that results show: FIPS; and want to disable that by: (requires reboot when you get a chance)


fips-mode-setup --disable && reboot

Then:

update-crypto-policies --set LEGACY && reboot


After reboot verify:

update-crypto-policies --show

Please take time and run through and compare what we ran through and compare to what is set now as something changed when the update was applied.

Thanks,
Perry

[hbouma]

So, I looked at all those files. None of them have changed from the time it worked pre-migration, to when it failed post migration.

Since this is a DEV server, I am going to have it restored from backup, run through the steps one at a time and see what happens and when the logins stop working again.

[pbroste]

@hbouma

Checking in with you on this to see how things are going? Please let us know if you need anything further.

We're moving to a new support system!

The Nagios Answer Hub is a place where you can get help with technical questions from our experts. There, you can quickly open tickets and join discussion boards.

Request Nagios Answer Hub access here: https://info.nagios.com/answer-hub-access-new-users

After completing the access form, you will be given access to a portal where new tickets can be created. We will keep the old customer forum sections and ticket system available for current cases to be resolved.

[hbouma]

Ok, I have tested this out.

RHEL 8.5 64bit VM Nagios XI server works fine after install. Logins work.
Backup taken from RHEL 7.9 64bit VM Nagios XI server by running /usr/local/nagiosxi/scripts/backup_xi.sh
Restore of the backup done to RHEL 8 server by running /usr/local/nagiosxi/scripts/restore_xi.sh /store/backups/nagiosxi/FILE.tar.gz
Ran the fix of the restore repair script as I went from RHEL 7 to RHEL 8.

mount -o remount,exec /tmp
cd /tmp/
wget https://assets.nagios.com/downloads/nag ... _repair.sh
chmod +x restore_repair.sh
./restore_repair.sh


Now, I can't log into the server again. Same issues as I posted at posting.php?mode=reply&f=16&t=64456#pr342252

[pbroste]

Hello @hbouma

Let's go ahead and enable-debug.

https://nagiosenterprises.lightning.force.com/lightning/r/Knowledge__kav/ka01K000000tBA1QAM/view?ws=%2Flightning%2Fr%2FCase%2F5001K000017W3goQAC%2Fview

or

https://support.nagios.com/kb/print-600.html

Let us know how things look,
Perry