Hello, I am running v5.5.8 64-bit / VM / Cent OS 7
This is my Nagios XI test server.
I requested certificates from a trusted source, and received three, described as:
as X509 Certificate only, Base64 encoded
as X509 Intermediates/root only, Base64 encoded
as X509 Intermediates/root only Reverse, Base64 encoded
The first one works, but some web site checks have a problem with it, for example:
[ead@xxx ~]$ ./check_ssl_cert -H xxx.doit.wisc.edu --critical 7 --warning 30 --timeout 5 --ignore-sig-alg
SSL_CERT CRITICAL xxx.doit.wisc.edu: Cannot verify certificate: unable to get local issuer certificate, unable to verify the first certificate|days=728;30;7;;
[ead@xxx ~]$
While this plugin is OK with it:
[ead@xxx ~]$ ./check_ssl_cert_expiry -H xxx.doit.wisc.edu -w 5 -c 6
OK: 728 days are left for SSL Certificate Expiration on Host xxx.doit.wisc.edu
[ead@xxx ~]$
Installation of the second and third certificates, with intermediates, seems to have a problem:
[ead@xxx ~]$ sudo /usr/sbin/apachectl restart
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Are there additional instructions for installing a certificate with intermediates?
Earl
certificate problems
Re: certificate problems
The two certs that are not working don't contain the server cert(Intermediates/root) so the fact that they fail isn't surprising. You should only need to use the server cert(Certificate only).
The differences between the plugins is that the one that doesn't appear to work uses openssl's -verify option while the other one doesn't. The failing one is unable to verify the certificates used to sign the cert because they're not installed on the system. You can try adding them to the end of /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt or using check_ssl_cert's -r option to specify a location to find the intermediate and root certs. From https://github.com/matteocorti/check_ss ... k_ssl_cert:
The differences between the plugins is that the one that doesn't appear to work uses openssl's -verify option while the other one doesn't. The failing one is unable to verify the certificates used to sign the cert because they're not installed on the system. You can try adding them to the end of /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt or using check_ssl_cert's -r option to specify a location to find the intermediate and root certs. From https://github.com/matteocorti/check_ss ... k_ssl_cert:
echo " -r,--rootcert path root certificate or directory to be used for"
echo " certificate validation"
echo " --rootcert-dir path root directory to be used for certificate validation"
echo " --rootcert-file path root certificate to be used for certificate validation"
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
Bitflogger
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: certificate problems
Hello,
Please lock the case.
Earl
Please lock the case.
Earl
Re: certificate problems
Will do!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.