Cannot write /certs when saving a certificate

[Dan_F_DXC]

We are trying to configure our log server instances to use AD to authentication users. I have followed the steps in the document in the knowledge base but when I try to save the servers I get error writing to /certs. The instances use rhel 7. What directory is it trying to write too that needs to be created or have the permissions set to be used by user nagios?

Dan Fitzpatrick

[cdienger]

the certs directory it is refering to is /etc/openldap/certs. It should exist by default. Can you confirm on your machine and the permissions set on it? From a lab machine:

[root@centos7x64 ~]# ls -al /etc/openldap/certs/
total 92
drwxrwxr-x. 2 apache nagios 4096 Jul 10 11:26 .
drwxrwxr-x. 4 apache nagios 48 Jun 29 16:09 ..
-rw-r--r-- 1 apache apache 1678 Jun 30 16:11 5efbaa6db655d.crt
-rw-r--r-- 1 apache apache 5166 Jun 30 16:11 5efbaa6db655d.pem
-rw-r--r-- 1 apache apache 1374 Jul 10 11:26 5f0896b9638b8.crt
-rw-r--r-- 1 apache apache 4461 Jul 10 11:26 5f0896b9638b8.pem
-rw-r--r--. 1 root root 65536 Mar 1 2016 cert8.db
-rw-r--r--. 1 root root 16384 Mar 1 2016 key3.db
-r--------. 1 root root 45 Mar 1 2016 password
-rw-r--r--. 1 root root 16384 Mar 1 2016 secmod.db

[Dan_F_DXC]

So I checked it and it was owned by nagios. I tried to change it to apache:nagiois and I get the same thing. Here are the permissions on the files and directory:

root@hpsatvld5352:/etc/openldap # ls -ld certs
drwxr-xr-x. 2 apache nagios 4096 Dec 18 2018 certs
root@hpsatvld5352:/etc/openldap # ls -l certs
total 64
-rw-r--r--. 1 nagios nagios 65536 Jun 18 10:03 cert8.db
-rw-r--r--. 1 nagios nagios 16384 Jun 18 10:03 key3.db
-r--------. 1 nagios nagios 45 Jun 18 10:03 password
-rw-r--r--. 1 nagios nagios 16384 Jun 18 10:03 secmod.db

I even tried saving off those files and removing them from this directory. Any thoughts?

[cdienger]

What is the full error and where do you see it exactly. Please provide a screenshot if possible.

[Dan_F_DXC]

So it just complains about not being able to write to / certs. have tried recycling apache too to make sure it is getting a clean read on permissions. I have attached a screen shot where I add one of the dc certificates. We have successfully used this cert on our nagiosxi installations so we know it is good.

[cdienger]

Thanks for that. I was able to track down the code producing the error and can see that the directory name is two parts - the variable $ldapdirectory plus the string /cacerts. It's behaving as if it doesn't have the first part.

edit /var/www/html/nagioslogserver/application/config/config.local.php and it should contain these lines:

Code: Select all

$config["ldap_dir"] = '/etc/openldap';
$config["ldap_cacerts_dir"] = '/etc/openldap/cacerts';

add them if they don't exist. The permissions on the file should also look like:

Code: Select all

-rwxrwxr-x 1 apache apache 1225 Jun 29 16:09 /var/www/html/nagioslogserver/application/config/config.local.php

[Dan_F_DXC]

So good news that let me put in the certificates looks like we have something new though because when I click add / import users it gives me a blank screen. I can navigate back to Home but there is something else we need to do.

[Dan_F_DXC]

I figured I probably should give you a screen shot of the AD / LDAP screen too it may help.

[cdienger]

Were the permissions on /var/www/html/nagioslogserver/application/config/config.local.php correct? The blank screen makes me thing there may be permissions issues on the other web interface files in /var/www/html/nagioslogserver/.

Use Chrome's dev tools by hitting F12 while in the browser and go to the network section. Then try reloading the page again. Are there any errors logged?

[Dan_F_DXC]

Okays so here are the permissions they look fine:
-rwxrwxr-x 1 apache apache 4264 Jun 18 15:47 autoload.php
-rwxrwxr-x 1 apache apache 1320 Jul 14 10:10 config.local.php
-rwxrwxr-x 1 apache apache 19511 Jun 18 15:47 config.php
-rwxrwxr-x 1 apache apache 4613 Jun 18 15:47 constants.php
-rwxrwxr-x 1 apache apache 4852 Jun 18 15:47 database.php
-rwxrwxr-x 1 apache apache 2441 Jun 18 15:47 doctypes.php
-rwxrwxr-x 1 apache apache 156 Jun 18 15:47 elasticsearch.php
-rwxrwxr-x 1 apache apache 163 Jun 18 15:47 email.php
-rwxrwxr-x 1 apache apache 2993 Jun 18 15:47 foreign_chars.php
-rwxrwxr-x 1 apache apache 417 Jun 18 15:47 hooks.php
-rwxrwxr-x 1 apache apache 498 Jun 18 15:47 memcached.php
-rwxrwxr-x 1 apache apache 3032 Jun 18 15:47 migration.php
-rwxrwxr-x 1 apache apache 10057 Jun 18 15:47 mimes.php
-rwxrwxr-x 1 apache apache 917 Jun 18 15:47 pagination.php
-rwxrwxr-x 1 apache apache 477 Jun 18 15:47 profiler.php
-rwxrwxr-x 1 apache apache 3741 Jun 18 15:47 routes.php
-rwxrwxr-x 1 apache apache 3181 Jun 18 15:47 smileys.php
-rwxrwxr-x 1 apache apache 6132 Jun 18 15:47 user_agents.php
root@hpsatvld5352:/var/www/html/nagioslogserver/application/config # cd ..
root@hpsatvld5352:/var/www/html/nagioslogserver/application # ls -ld config
drwxrwxr-x 2 apache apache 4096 Jul 14 10:10 config
root@hpsatvld5352:/var/www/html/nagioslogserver # ls -ld application
drwxr-xr-x 16 apache apache 4096 Jun 18 15:47 application


I switched from firefox to chrome and get the attached error it is a 500 error. Just to e clear this is right after I type in my user name and passsword which has browse authority in ad, and click login.