Need Server alias to work with SSL cert for Nagios XI

[ks6764]

I am using Nagios XI 5.4.4 on a Redhat 7 server.

I used the excellent instructions on https://assets.nagios.com/downloads/nag ... s%20XI.pdf to configure an SSL certificate for the Nagios XI server.

When I use:

Code: Select all

https://thisismyserver.domain.com

using the server's hostname it works with no issues.

I would like to be able to configure a server alias I have in DNS to use the same SSL certificate, but so far I am getting the "Your connection is not secure" as is shown on
https://support.nagios.com/kb/article.php?id=598.

The bottom of my httpd.conf file has the following:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The bottom of my ssl.conf file has the following:

Code: Select all

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
</IfModule>

I am using Apache version 2.4.6. Assuming the server alias in DNS is in a different domain, let's call it diffdomain.otherdomain.com, what does my edit to the httpd.conf or ssl.conf file need to be ?
I realize this is not strictly a Nagios issue, but I would appreciate any assistance in getting this going. I also realize there are steps in the browser where a user may be able to override this issue, but I would like to avoid that all together if possible. Additionally, if I can get the alias to work, I will use it instead of the actual hostname in the nrds.cfg files on the client servers being monitored. That way in the future if I change out servers, I can just migrate the server alias to the new server and then import the monitoring without having to change nrds.cfg files on over 1,000 client servers.

[cdienger]

Have you configured the certificate to use an alias already? The documentation doesn't do and I'm currently working to set this up myself, but https://ashishbanyal.wordpress.com/2014 ... h-openssl/ seems like a good start.

Please also provide a screenshot showing details the "Your connection is not secure" message. If the cert isn't signed by a CA that the client already trusts then the browser will need to import the CA to avoid the message found in that KB.

[ks6764]

I am using an actual signed certificate from a CA and I know my certificate is valid.

[cdienger]

You could edit ssl.conf to use name-based virtual hosts instead of the ip-based by changing the VirtualHost directive from:

Code: Select all

<VirtualHost _default_:443>

to:

Code: Select all

<VirtualHost IPADDRESS:443>

and then use the servername directive to specify the virtualhost:

Code: Select all

<VirtualHost IPADDRESS:443>
Servername default
....
	SSLCertificateFile /etc/pki/tls/certs/certfile.crt
	SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key
...
</VirtualHost>

<VirtualHost IPADDRESS:443>
Servername somehost.somedomain.com
....
	SSLCertificateFile /etc/pki/tls/certs/somedomain.crt
	SSLCertificateKeyFile /etc/pki/tls/private/somedomain.key
...
</VirtualHost>

Note that you would need two certs for this - one for the default config and another for the somehost.somedomain.com config.

If you want to use the same cert for both domains then you would need to have the cert updated to include an alias to avoid cert errors.

I've attached a sample config showing how the ssl.conf would look if want to try configuring two virtual hosts.

[ks6764]

Thanks for the information. I also found out through our department that manages the SSL certificate requests that I can submit to get a SAN certificate so that multiple hostnames can be identified by a single certificate.
I didn't know that such a thing existed until just a few moments ago. A quick Google search on

Code: Select all

subject alternative name certificate request

revealed the following https://www.digicert.com/subject-alternative-name.htm
You can close this thread now and thanks again.