Page 5 of 5
Re: Issues after migrating to a new server
Posted: Mon Mar 21, 2022 8:58 am
by hbouma
Ok, got it fixed. The issue appears to be entirely related to some FIPS fun and a new verison of openldap on RHEL 8 vs RHEL 7.
These are the steps I had to run to fix it.
edit the /etc/openldap/ldap.conf to uncomment the following line:
run the following commands:
Code: Select all
update-ca-trust extract
systemctl restart httpd php-fpm
update-crypto-policies --set LEGACY
reboot
Re: Issues after migrating to a new server
Posted: Tue Mar 22, 2022 12:49 pm
by hbouma
Well, I spoke too soon. I got everything working, migrated my data using the instructions from Nagios, copied the data to the new offloaded database, redid the passwords and then started the service. Everything starts, the database is working fine, but I get this error whenever I try to log in. This is from the /var/log/php-fpm/www-error.log:
Code: Select all
[22-Mar-2022 10:00:41 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:06:14 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:08:16 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:13:26 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:17:03 US/Eastern] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:17:05 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:22:33 US/Eastern] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:23:58 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:24:23 US/Eastern] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 10:36:52 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 10:52:24 US/Eastern] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 13:28:58 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 13:42:27 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
[22-Mar-2022 13:44:40 US/Eastern] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714
[22-Mar-2022 13:44:40 US/Eastern] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641
Re: Issues after migrating to a new server
Posted: Wed Mar 23, 2022 9:31 am
by pbroste
Hello
@hbouma
Crazy, how things like this happen one minute it is working and the next tweak breaks it. If only we can figure out what changed.
Looking at line 641 in 'src/adLDAP.php' the following:
if ($this->useTLS) {
641 ldap_start_tls($this->ldapConnection);
642 }
Looking back through the support forum posts and I see that we had flipped and flopped configs in '/etc/ldap/ldap.conf' to the point I am not sure what worked? In the previous post you stated that you had things functioning with the following quote:
@hbouma said; Ok, got it fixed. The issue appears to be entirely related to some FIPS fun and a new verison of openldap on RHEL 8 vs RHEL 7.
These are the steps I had to run to fix it.
edit the /etc/openldap/ldap.conf to uncomment the following line:
Looking at others that had similar issues they referenced permissions:
workaround, try editing /etc/ldap/ldap.conf and/or /etc/openldap/ldap.confand and add the line:
Also
i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.
/etc/openldap/cacerts. Check the permissions:
and set:
Code: Select all
chown apache:nagios /etc/openldap/cacerts
chmod 775 /etc/openldap/cacerts
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /cacerts
Also in a previous post we had you uncomment the following:
/etc/openldap/ldap.conf adding:
We also updated the TLS_CACERT line which means we need to confirm the cert.pem is correct in your /etc/openldap/ldap.conf:
#TLS_CACERT /etc/pki/tls/cert.pem
So it looks like this:
CODE: SELECT ALL
TLS_CACERT /etc/pki/tls/cert.pem
Then restart apache/php-fpm and test again and see if that resolves the issue.
You made a comment in the previous post regarding FIPS, and circling back we looked at the following:
systemctl restart httpd php-fpm
Previously we had you pull the crypto-policies and that results show: FIPS; and want to disable that by: (requires reboot when you get a chance)
fips-mode-setup --disable && reboot
Then:
update-crypto-policies --set LEGACY && reboot
After reboot verify:
update-crypto-policies --show
Please take time and run through and compare what we ran through and compare to what is set now as something changed when the update was applied.
Thanks,
Perry
Re: Issues after migrating to a new server
Posted: Wed Mar 23, 2022 9:37 am
by hbouma
So, I looked at all those files. None of them have changed from the time it worked pre-migration, to when it failed post migration.
Since this is a DEV server, I am going to have it restored from backup, run through the steps one at a time and see what happens and when the logins stop working again.
Re: Issues after migrating to a new server
Posted: Fri Mar 25, 2022 12:10 pm
by pbroste
@hbouma
Checking in with you on this to see how things are going? Please let us know if you need anything further.
We're moving to a new support system!
The Nagios Answer Hub is a place where you can get help with technical questions from our experts. There, you can quickly open tickets and join discussion boards.
Request Nagios Answer Hub access here: https://info.nagios.com/answer-hub-access-new-users
After completing the access form, you will be given access to a portal where new tickets can be created. We will keep the old customer forum sections and ticket system available for current cases to be resolved.
Re: Issues after migrating to a new server
Posted: Tue Mar 29, 2022 11:59 am
by hbouma
Ok, I have tested this out.
RHEL 8.5 64bit VM Nagios XI server works fine after install. Logins work.
Backup taken from RHEL 7.9 64bit VM Nagios XI server by running /usr/local/nagiosxi/scripts/backup_xi.sh
Restore of the backup done to RHEL 8 server by running /usr/local/nagiosxi/scripts/restore_xi.sh /store/backups/nagiosxi/FILE.tar.gz
Ran the fix of the restore repair script as I went from RHEL 7 to RHEL 8.
mount -o remount,exec /tmp
cd /tmp/
wget
https://assets.nagios.com/downloads/nag ... _repair.sh
chmod +x restore_repair.sh
./restore_repair.sh
Now, I can't log into the server again. Same issues as I posted at
https://support.nagios.com/forum/postin ... 6#pr342252
Re: Issues after migrating to a new server
Posted: Tue Mar 29, 2022 5:01 pm
by pbroste