Fusion with https xi servers

This support forum board is for questions relating to Nagios Fusion.
Locked
elade
Posts: 144
Joined: Wed Mar 28, 2018 6:23 am

Fusion with https xi servers

Post by elade »

Hi,

I tried to fused an XI server which is in https with self signed certificate (based on your manual).
The XI is working OK with https.
When I run the "Test Fusion Settings" when URL in https I get errors but when I change the URL to http the test return OK.
When I poll in debug mode when the URL in http I can see all the tables and info.
When I poll in debug mode when the URL in https I get the following:

Code: Select all

root@nagiosfusion:/home/nagiosfusionuser# /usr/local/nagiosfusion/cron/poll_subsys.php --debug --server 58 --user opsec_user
PHP Warning:  "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /usr/local/nagiosfusion/html/includes/components/fusioncore/fusioncore.inc.php on line 259

OPERATING IN DEBUG MODE

2022-01-18 16:20:43[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:nagiosxi_bpi
2022-01-18 16:20:43[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:43[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:hoststatus
2022-01-18 16:20:43[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:44[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:servicestatus
2022-01-18 16:20:44[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:44[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:status
2022-01-18 16:20:44[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:45[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:user
2022-01-18 16:20:45[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:45[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:info
2022-01-18 16:20:45[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:46[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:alerts
2022-01-18 16:20:46[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:46[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:hostgroupmembers
2022-01-18 16:20:46[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:47[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:hostgroup
2022-01-18 16:20:47[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:47[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:servicegroup
2022-01-18 16:20:47[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
2022-01-18 16:20:48[s: 0, u: 0] poll_server() unable to poll data for s:my_env, u:my_user, poll:servicegroupmembers
2022-01-18 16:20:48[s: 0, u: 0] poll_server() CHECK YOUR LIVE_DATA_TIMEOUT SETTINGS. IT MAY NEED TO BE INCREASED
SERVER:      my_env
USERNAME:    my_user
POLLED_DATA:
Array
(
    [server_id] => 58
    [server_type] => 1
    [authentication_type] => 0
    [username] => my_user
    [polled_time] => 1642522843
    [data] => Array
        (
        )

    [debug_started_time] => 2022-01-18 16:20:43
    [debug_completed_time] => 2022-01-18 16:20:48
)


MEMORY USED: 5,172,320 Bytes
MEMORY PEAK: 5,346,936 Bytes

curl system status command is working ok from fusion.

Code: Select all

curl -XGET https://10.10.10.10/nagiosxi/api/v1/system/status?fusekey=ABCD -k -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.10.10.10:443...
* TCP_NODELAY set
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=RO; ST=RO; L=Bucharest; CN=nagiosrss.com
*  start date: Dec 14 10:55:15 2021 GMT
*  expire date: Dec 12 10:55:15 2031 GMT
*  issuer: C=RO; ST=RO; L=Bucharest; CN=nagioserverenv.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /nagiosxi/api/v1/system/status?fusekey=ABCD HTTP/1.1
> Host: 10.10.10.10
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 18 Jan 2022 16:12:37 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
< Content-Length: 835
< Content-Type: application/json
<
{"instance_id":"1","instance_name":"localhost","status_update_time":"2022-01-18 16:12:35","program_start_time":"2022-01-18 16:00:03","program_run_time":"754","program_end_time":"1970-01-01 00:00:01","is_currently_running":"1","process_id":"678925","daemon_mode":"1","last_command_check":"1970-01-01 00:00:00","last_log_rotation":"1970-01-01 00:00:00","notifications_enabled":"1","active_service_checks_enabled":"1","passive_service_checks_enabled":"1","active_host_checks_enabled":"1","passive_host_checks_enabled":"1","event_handlers_enabled":"1","flap_detection_enabled":"1","process_performance_data":"1","obsess_over_hosts":"0","obsess_over_services":"0","modified_host_attributes":"0","modified_service_attributes":"0","global_host_event_handler":"xi_host_event_handler","global_service_event_handler":"xi_service_event_handler"}
* Connection #0 to host 10.10.10.10 left intact
The same results when the user is nagiosadmin.
Any idea what can be the problem?
XI version - 5.8.7
Fusion - 4.1.9 (also https with self signed certificate)
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Fusion with https xi servers

Post by pbroste »

Hello @elade

Thanks for reaching out, typically when it tosses out "1970-01-01" date we suspect that there is a date/time/timezone that is not sync'ed across.
{"instance_id":"1","instance_name":"localhost","status_update_time":"2022-01-18 16:12:35","program_start_time":"2022-01-18 16:00:03","program_run_time":"754","program_end_time":"1970-01-01 00:00:01","is_currently_running":"1","process_id":"678925","daemon_mode":"1","last_command_check":"1970-01-01 00:00:00","last_log_rotation":"1970-01-01
Please verify on both:

Code: Select all

grep "date.timezone" /etc/php.ini
ls -l /etc/localtime
php -r 'echo date("D M j G:i:s T Y")."\n";'
date
echo "SELECT NOW();" | mysql -u root -pnagiosxi
Let us know how things look,
Perry
elade
Posts: 144
Joined: Wed Mar 28, 2018 6:23 am

Re: Fusion with https xi servers

Post by elade »

Hi pbroste,
I found the problem and it's with the self signed certificate.
Since I create self signed certificate for my XI the CN must be the server IP in order the fusion can fuse the server with https url.
I did some research and since I can't have a DNS server which will do the resolving for my host I have no other option but to put in CN the XI IP.
My questions are:
1. I did the SSL/TLS procedure (on both servers) but when I add the XI into fused list it works only when URL is http and not https.
So dose the communication between the Fusion and XI is secure or all the traffic between is in HTTP and then locally it redirect to HTTPS?
2. I prefer not to enter my server's IP in CN when I do self signed certificate. Do you have any other option how to force HTTPS?

Thank you.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Fusion with https xi servers

Post by pbroste »

Hello @elade

Excellent, good find on resolving the issue and for the follow-up questions:

The traffic will be encrypted by selecting SSL in the Nagios Network Analyzer Integration in Manage Components. If not selected, the SSL option traffic would be transmitted unencrypted.

And the option to set a discoverable hostname so you can use alternate names or wildcards for host looks possible.

Thanks,
Perry
elade
Posts: 144
Joined: Wed Mar 28, 2018 6:23 am

Re: Fusion with https xi servers

Post by elade »

Hi pbroste,

I read the manual for Network Analyzer Integration but it doesn't explain how to to verify the communication between XI to Fusion will be in HTTPS only and not http then redirect to https.
There is a way to verify it?
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Fusion with https xi servers

Post by pbroste »

Hello @elade

Thanks for following up, there are probably many other ways to verify the network traffic. But will recommend 'tcpdump' by reviewing the results.

Code: Select all

tcpdump port '(80 or 443)' src <srcIP> and dst <dstIP> -w file.pcap
Thanks,
Perry
elade
Posts: 144
Joined: Wed Mar 28, 2018 6:23 am

Re: Fusion with https xi servers

Post by elade »

Hi,

I did tcpdump and when the Fusion is trying to connect to remote XI it first use HTTP and the redirect to HTTPS.
Dose the fusion/xi can work by default in HTTPS only (disable the HTTP)?
Thanks.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Fusion with https xi servers

Post by pbroste »

Hello @elade

On the XI side, verify the following found in '/usr/local/nagiosxi/html/config.inc.php'
// Force http/https
$cfg['use_https'] = false; // determines whether cron jobs and other scripts will force the use of HTTPS instead of HTTP
  • https_conf.png
On Fusion verify the following:
  • fusion_ssl.png
Beware that the handshake over HTTPS will require a certificate of some kind.

Thanks,
Perry
You do not have the required permissions to view the files attached to this post.
elade
Posts: 144
Joined: Wed Mar 28, 2018 6:23 am

Re: Fusion with https xi servers

Post by elade »

Hi pbroste,

You can close the topic.
Thank you!
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Fusion with https xi servers

Post by pbroste »

Thanks for following up @elade, I will lock this.
Perry
Locked