Documentation problems

[SDohmen]

Today i decided to make a new central so i would have a completely clean to work with.

However when i used the ssl documentation i noticed some mishaps in there:

According to the documentation the nagiosxi.conf is supposed to look like:

Code: Select all

#NameVirtualHost *.443
<VirtualHost *:80>
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# AuthName "Nagios XI"
# AuthType Basic
# AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# Require valid-user
</Directory>
</VirtualHost>

However when i open my nagiosxi.conf file i see the following:

Code: Select all

<Directory "/usr/local/nagiosxi/html">
#  SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios XI"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#   Require valid-user
</Directory>

Alias /nagiosxi "/usr/local/nagiosxi/html"

I know its only the virtualhost part but it makes me guess how many other mistypo's are in there since when i follow the document to the letter i get several ssl errors and a not working httpd service.

Also the following i found strange:

Code: Select all

Now that we have our key we have to tell httpd where to look for it. In your /etc/httpd/conf.d/ssl.conf , find the
SSLCertificateFile line and change these values:
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

I have to add the certificates to the ssl.conf file and a couple lines down i need to add them again to the nagiosxi.conf file. From the errors i get i have to disable 1 of the virtualhost:443 to get it to work properly

Anyone have the proper files how this file should look like so i can enable ssl.

[mguthrie]

Can you please zip up your /etc/httpd/ directory and send it to us?

[SDohmen]

Added to this post is a zip file containing all the files from the httpd conf dirs.

The only thing changed is the ssl file according to the documentation. The nagiosxi.conf file is still the original one since the data doesn't match.

[mguthrie]

The only thing changed is the ssl file according to the documentation. The nagiosxi.conf file is still the original one since the data doesn't match.

The SSL certificate configuration is almost certainly the source of the issue here. I was trying to look at the SSL configuration that was being attempted, but wasn't working properly. I need to see the /etc/httpd config that you were trying to use, but was failing. The nagiosxi.conf file should look like the below file and should point to your SSL certificates.

Code: Select all

#NameVirtualHost *.443
<VirtualHost *:80>
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# AuthName "Nagios XI"
# AuthType Basic
# AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# Require valid-user
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Alias /nagiosxi "/usr/local/nagiosxi/html"

Once this code is in place, with apache restarted, go ahead and attempt to access the network status map. There's a log that we added as of 1.7 that should display any content loading errors under the hood. This is located in the /usr/local/nagiosxi/var/load_url.log file. This log will give an info dump of any internal page requests that failed. Post the contents of that file if you see any problems. The other log to watch for SSL certificate issues is the /var/log/httpd/access_log (provided this hasn't been changed in your httpd.conf file).

[SDohmen]

With the file you added i got the following error:

Code: Select all

[root@central conf.d]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: [Fri Nov 18 09:28:15 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
                                                           [  OK  ]
[root@central conf.d]#

So i decided to edit the ssl conf because i know there is a virtualhost part there aswell:

The original one unedited (with comments removed to keep it readable here):

Code: Select all

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/central_o4s_nl.cer
SSLCertificateKeyFile /etc/httpd/cert/central_o4s_nl.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#SSLVerifyClient require
#SSLVerifyDepth  10
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \

The new one (also with comments removed to keep it readable):

Code: Select all

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

Now when i restart the httpd service i get:

Code: Select all

[root@central conf.d]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@central conf.d]#

I assume this is fine with the edited ssl file since the overlap was causing warnings.

[mguthrie]

Just to verify then, after doing this, does the problem exists mainly with the network status map? Are you seeing issues anywhere else? I might do some snooping on the curl options that are used to request the page, because there are a lot of settings related to SSL.

Do you get any useful output in any of the following files when you access the status map?:

/var/log/httpd/error_log
/var/log/httpd/ssl_error_log
/var/log/httpd/ssl_access_log

[SDohmen]

When i try the network status map on the new central it works just fine. However when i check the files as you requested i still see lots of errors:

Code: Select all

[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6
[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6
[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6
[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6
[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client 172.16.21.1] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132
[Sat Nov 19 21:17:14 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=3
[Sat Nov 19 21:17:14 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=3
[Sat Nov 19 21:17:14 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=3
[Sat Nov 19 21:17:14 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=3
[Sat Nov 19 21:17:14 2011] [error] [client *.*.*.*] PHP Warning:  substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=3

I just noticed that the unconfigured objects page stopped working. I am not sure if it has anything todo with the rest in this post but i am guessing it has.

[mguthrie]

[Sat Nov 19 21:17:10 2011] [error] [client *.*.*.*] PHP Warning: substr() expects parameter 2 to be long, string given in /usr/local/nagiosxi/html/includes/components/nagioscore/coreuiproxy.inc.php on line 132, referer: https://*.*.*.*/nagiosxi/includes/components/xicore/status.php?show=map&layout=6

I checked on the above message, and it looks like this is just a minor PHP bug, and this error message is specific to newer versions of PHP. I just fixed this issue for the next release, but it doesn't appears that this bug was related to the network-statusmap/SSL issues.

[SDohmen]

There are 2 other things though that i havent seen before.

1. the unconfigured objects page isn't cleanable anymore aka i cant remove any hosts from it.
2. The status map does work except for the images. I changed a couple on source but it still shows the old ones. I am wondering if a service restart would solve this problem.

Part 2 can be ignored. I solved that one. It seems the image i was looking for was located in a different dir.

[mguthrie]

1. the unconfigured objects page isn't cleanable anymore aka i cant remove any hosts from it.

As far as I know, this is a known limitation of the Unconfigured objects feature. It parses the nagios event log for unconfigured passive checks that come in, and I think if they're within a certain timeframe, they'll continue to show up in the list.

Part 2 can be ignored. I solved that one. It seems the image i was looking for was located in a different dir.

Good deal. Thanks for the update