XI server unresponsive, timeout after enabling HTTPS

[thur686]

First of all, an early happy Thanksgiving to all.

Last week I enabled HTTPS (using TLS not SSL) on all of our Nagios systems. I just discovered that the Fusion box is now longer able to contact the XI server.

In 'Tactical Overview', the status is:
A timeout occurred while attempting to contact the server

In 'Server Credentials', the status is:
Unresponsive, Server Timeout

The auth type is session.
The URLs have a trailing slash.
The Fusion server is able to resolve the host name of the XI server.

We are on Fusion 2014R1.1 and Nagios XI 5.2.2

[lmiltchev]

Last week I enabled HTTPS (using TLS not SSL) on all of our Nagios systems. I just discovered that the Fusion box is now longer able to contact the XI server.

Can you describe in details what are the changes that you made to the system? The following document is our "official" guide for configuring SSL for Nagios XI. It is proven to work. If you did something else, we would need more details in order to troubleshoot the issue.

https://assets.nagios.com/downloads/nag ... s%20XI.pdf

Did you enable HTTPS on both, the Nagios XI fused server and Nagios Fusion or only on XI?

Run the following commands and show the output in code wraps:

On Nagios XI:

Code: Select all

ip addr
hostname
grep use_https /usr/local/nagiosxi/html/config.inc.php

On Nagios Fusion:

Code: Select all

tail -100 /var/log/httpd/error_log
tail -100 /usr/local/nagiosfusion/var/poller.log

Also, in Fusion, go to Configure->Manage Fused Servers, click on "Edit" and show us a screenshot of the "Edit Server" page.

[thur686]

Code: Select all

Nagios XI
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:84:04:44 brd ff:ff:ff:ff:ff:ff
    inet 10.89.184.72/24 brd 10.89.184.255 scope global eth0
    inet6 fe80::250:56ff:fe84:444/64 scope link
       valid_lft forever preferred_lft forever

FUSION02.private.com

$cfg['use_https'] = true; // determines whether cron jobs and other scripts will force the use of HTTPS instead of HTTP

Nagios Fusion
> Tail 1
[Fri Dec 04 12:08:37 2015] [error] [client 10.89.184.33] PHP Warning:  strftime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in /usr/local/nagiosfusion/html/includes/utilsl.inc.php on line 344, referer: https://FUSION02.private.com/nagiosfusion/includes/components/fusioncore/tac.php

> Tail 2
NAGIOSXI ALERT FETCH DEV XI
COUNT :0
NAGIOSCORE ALERT FETCHDEV Core
PHP Warning:  DateTime::createFromFormat(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in /usr/local/nagiosfusion/html/includes/utils-recentalerts.inc.php on line 134
COUNT :0
Polling Top Alert Producers...
TRUNCATING topalertproducers table
Saved top alert producers for DEV Core
2 callbacks run
..[root@FUSION02 ~]# tail -100 /usr/local/nagiosfusion/var/poller.log
tail: option used in invalid context -- 1
[root@FUSION02 ~]# tail -100 /usr/local/nagiosfusion/var/poller.log
PHP Notice:  Undefined index: SERVER_PORT in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 581
PHP Notice:  Undefined index: SERVER_PORT in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 582
PHP Notice:  Undefined index: SERVER_NAME in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 586
Saving Tac Data to DB: DEV XI
PHP Notice:  Undefined index: query in /usr/local/nagiosfusion/html/includes/utilsx.inc.php on line 80
Saving Tac Data to DB: DEV Core
Polling Recent Alerts...
NAGIOSXI ALERT FETCH DEV XI
COUNT :0
NAGIOSCORE ALERT FETCHDEV Core
PHP Warning:  DateTime::createFromFormat(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in /usr/local/nagiosfusion/html/includes/utils-recentalerts.inc.php on line 134
COUNT :0
Polling Top Alert Producers...
TRUNCATING topalertproducers table
Saved top alert producers for DEV Core
2 callbacks run
...***GET DATA!***
RUNTIME: 30 INTERVAL: 30 POLL INTERVAL: 30
PHP Notice:  Undefined index: SERVER_PORT in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 581
PHP Notice:  Undefined index: SERVER_PORT in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 582
PHP Notice:  Undefined index: SERVER_NAME in /usr/local/nagiosfusion/html/includes/utils.inc.php on line 586
Saving Tac Data to DB: DEV XI
PHP Notice:  Undefined index: query in /usr/local/nagiosfusion/html/includes/utilsx.inc.php on line 80
Saving Tac Data to DB: DEV Core
Polling Recent Alerts...
NAGIOSXI ALERT FETCH DEV XI
COUNT :0
NAGIOSCORE ALERT FETCHDEV Core
PHP Warning:  DateTime::createFromFormat(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in /usr/local/nagiosfusion/html/includes/utils-recentalerts.inc.php on line 134
COUNT :0
2 callbacks run
Loop time: 0 seconds

Thanks lmiltchev, sorry for the late reply (holiday).

HTTPS in now enabled on the Fusion and Nagios XI servers. There are also hardened, supporting only TLSv1.1 & TLSv1.2.

The first changes I made to the Fusion box are detailed step for step in the following PDF:
https://assets.nagios.com/downloads/nag ... s%20XI.pdf

Two steps in that PDF were not aplicable to Fusion.

This file does not exist /usr/local/nagiosxi/html/config.inc.php.
This is the file for Fusion: /usr/local/nagiosfusion/html/config.inc.php
That file does not include a line pertaining to https.

There is also no Core Config Admin in Fusion (that I know of) so that step was skipped.

After the Fusion site was using HTTPS, it was time to disable SSL and TLS 1.0.

I edited ssl.conf, nagiosfusion.conf and httpd using the following link as a guide.

https://www.acunetix.com/blog/articles/ ... hardening/

After that, the Fusion site only supported SSLProtocols TLSv1.1 & TLSv1.2.

[ssax]

I've set this up before, I'll lab it up on Monday and get this figured out for you.

Thank you

[ssax]

Are you using self-signed (or even local CA signed) certificates on them?

[thur686]

Yes, self signed.

[ssax]

Locking this thread because it's been moved into a ticket.