SSL Issues: Configuration write failed - Dataset not found

[mmestnik]

There we go. You can install your self-signed cert as an accepted CA.

Should be an ssl folder with a ca or CA folder in it. You copy the file in with any name(normal convention) then you create a symbolic link to this file from a hex representation of the key. Should be a document some where on the web for how to do this...

You know the key for 127.0.0.1 and localhost would be usable on almost every computer. You can also setup tinyca, but then you still have to figure out how to insert your own cert into the trusted roots.

Good luck attempting to master the use of HTTPS, it's not so easy is it!

[edgeweb]

I think this would be the instructions you mean:
http://gagravarr.org/writing/openssl-ce ... ed-openssl

Thanks,

Dave

[mmestnik]

Yes, that's it. The simple version is this, my best stab at for dummies:
First ensure there is only one certificate in this PEM formatted file. Normally you would create a symbolic link for a meaningful name of the CA to the hash value, rather than renaming the CA certificate. Look up the hash value.
In either /usr/share/ssl/ or /etc/pki/tls/ and why not both, whatever exists.
Run this program after changing the first line:

Code: Select all

file=/path2file
[ $(( $(grep 'BEGIN.* CERTIFICATE' < $file | wc -l) )) -eq 1 ] && {
	key=$(openssl x509 -hash -noout -in $file).0
	echo "This is a good PEM file with key $key."
	for ech in /usr/share/ssl /etc/pki/tls
		do [ -f $ech -a -w $ech ] && {
			cp -f $file $ech; ln -s $(basename $file) ${ech}/${key}
		}
	done
}

[mmestnik]

The only thing I would add to another post is that it seems to be working fine now, all SSL for my users (which makes me happy, and more importantly my auditors happy).

Thanks,

Dave

[bugtoo]

Hello,
If I access NagioXI using SSL, the network image from the home page link is not generated.

Any ideas?


Thanks!

[mmestnik]

We don't supply an https transport. Yes, this sounds like the localhost certificate problem.

You will want to read this whole thread carefully and make sure you satisfy all the constraints of using https.

[dxf1]

HI Can the nagios server be accessed using https and if so what changes are required in the config files
Many Thanks Dave

[nauessp]

This was a very frustrating problem for us as well.

Our policy is that all web servers should use SSL. We also require an SSL certificate signed by a recognized authority. All http connections are to be redirected (i.e. rewritten) to https. Really, I can't imagine not using SSL for any production web server.

I tried several work arounds after my initial tries failed. Using a separate, self-signed certificate for localhost sounds like a management nightmare and a bit of a hack job. I also considered blocking port 80 using something like iptables, but this strikes me as an incomplete solution.

I came up with this solution using mod_rewrite:

Code: Select all

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !localhost [NC]
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R]

This rewrites anything not https and not connecting to localhost. (And connections to http://localhost are left alone.) This seems to be working, and I'm able to write config files and I can see everything we've set up so far. I also see the entries in the access_log where the backend Nagios bits are connecting to localhost. Everything else is rewritten to https and is visible in the ssl_access_log.

This also means I did not need to change the "Program URL:" in the Nagios System Settings to point to https. I left this completely alone and it seems to be working. If anyone sees a problem with this solution, please let me know.

Also, is there a good place to request future Nagios XI releases are SSL friendly?