We are getting a Peer's Certificate issuer is not recognized. when we run the following CURL command for API access.
[root@nagios ~]# curl -XGET "https://nagios.acentek.net/nagiosxi/api ... =localhost"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
If we run the URL from the Curl command in our browser we get localhost info back. And if we run the CURL command with -k at the end we get localhost info as expected. We don't know why we are having Certificate verification errors.
Nagios and OpsGenie API issues
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Nagios and OpsGenie API issues
Hi @acentek,
The way around this without using the -k or --insecure option would be to add the Nagios XI server as a trusted certificate to this sever. Take a look at the following solution to get the certificate and copy the crt file to /etc/pki/ca-trust/source/anchors (Cent/RHEL) on this server.
curl (60) peer’s certificate issuer is not recognized
Red Hat Documentation
4.14. USING SHARED SYSTEM CERTIFICATES
Let me know if that resolves the error for you.
Benjamin
The way around this without using the -k or --insecure option would be to add the Nagios XI server as a trusted certificate to this sever. Take a look at the following solution to get the certificate and copy the crt file to /etc/pki/ca-trust/source/anchors (Cent/RHEL) on this server.
curl (60) peer’s certificate issuer is not recognized
Red Hat Documentation
4.14. USING SHARED SYSTEM CERTIFICATES
Let me know if that resolves the error for you.
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Nagios and OpsGenie API issues
So today we've been working with OpsGenie recently on this. They asked that i swing this by you.
I think this bit of the logs should provide most of what they're looking for - this shows the full request and request payload, and the success response from Nagios indicating that it *should* be executing the action (and that particular action - cmd_typ= 33).
**** LOG DATA ****
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.opsgenie.com:443
DEBUG:urllib3.connectionpool:https://api.opsgenie.com:443 "GET /v2/alerts/4204f161-4fd1-4ca8-8d69-154671fe51a9-1597673884237 HTTP/1.1" 200 None
DEBUG:root:[Acknowledge]:Posting to Nagios. Url https://localhost/nagios/cgi-bin/cmd.cgi params:{'btnSubmit': 'Commit', 'cmd_mod': '2', 'send_notification': 'off', 'host': 'mautic', 'com_author': 'opsgenie', 'com_data': 'Acknowledged by [email protected] via Opsgenie', 'sticky_ack': 'on', 'cmd_typ': '33'}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:443
DEBUG:urllib3.connectionpool:https://localhost:443 "POST /nagios/cgi-bin/cmd.cgi HTTP/1.1" 200 None
INFO:root:[Acknowledge]: Successfully executed at Nagios.
DEBUG:root:[Acknowledge]: Nagios response: b'<html>\n<head>\n<link rel="shortcut icon" href="/nagios/images/favicon.ico" type="image/ico">\n<title>\nExternal Command Interface\n</title>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/common.css\'>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/cmd.css\'>\n</head>\n<body CLASS=\'cmd\'>\n\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n<table border=0 width=100%>\n<tr>\n<td align=left valign=top width=33%>\n<TABLE CLASS=\'infoBox\' BORDER=1 CELLSPACING=0 CELLPADDING=0>\n<TR><TD CLASS=\'infoBox\'>\n<DIV CLASS=\'infoBoxTitle\'>External Command Interface</DIV>\nLast Updated: Mon Aug 17 13:26:17 CDT 2020<BR>\nNagios® Core™ 4.2.4 - <A HREF=\'https://www.nagios.org\' TARGET=\'_new\' CLASS=\'homepageURL\'>www.nagios.org</A><BR>\nLogged in as <i>nagiosadmin</i><BR>\n</TD></TR>\n</TABLE>\n</td>\n<td align=center valign=top width=33%>\n</td>\n<td align=right valign=bottom width=33%>\n</td>\n</tr>\n</table>\n<P><DIV CLASS=\'infoMessage\'>Your command request was successfully submitted to Nagios for processing.<BR><BR>\nNote: It may take a while before the command is actually processed.<BR><BR>\n<A HREF=\'javascript:window.history.go(-2)\'>Done</A></DIV></P>\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n</body>\n</html>\n' response code: 200
**** LOG DATA ****
From there, they should be able to troubleshoot at what point within Nagios that command is actually failing, I would think.
I think this bit of the logs should provide most of what they're looking for - this shows the full request and request payload, and the success response from Nagios indicating that it *should* be executing the action (and that particular action - cmd_typ= 33).
**** LOG DATA ****
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.opsgenie.com:443
DEBUG:urllib3.connectionpool:https://api.opsgenie.com:443 "GET /v2/alerts/4204f161-4fd1-4ca8-8d69-154671fe51a9-1597673884237 HTTP/1.1" 200 None
DEBUG:root:[Acknowledge]:Posting to Nagios. Url https://localhost/nagios/cgi-bin/cmd.cgi params:{'btnSubmit': 'Commit', 'cmd_mod': '2', 'send_notification': 'off', 'host': 'mautic', 'com_author': 'opsgenie', 'com_data': 'Acknowledged by [email protected] via Opsgenie', 'sticky_ack': 'on', 'cmd_typ': '33'}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:443
DEBUG:urllib3.connectionpool:https://localhost:443 "POST /nagios/cgi-bin/cmd.cgi HTTP/1.1" 200 None
INFO:root:[Acknowledge]: Successfully executed at Nagios.
DEBUG:root:[Acknowledge]: Nagios response: b'<html>\n<head>\n<link rel="shortcut icon" href="/nagios/images/favicon.ico" type="image/ico">\n<title>\nExternal Command Interface\n</title>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/common.css\'>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/cmd.css\'>\n</head>\n<body CLASS=\'cmd\'>\n\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n<table border=0 width=100%>\n<tr>\n<td align=left valign=top width=33%>\n<TABLE CLASS=\'infoBox\' BORDER=1 CELLSPACING=0 CELLPADDING=0>\n<TR><TD CLASS=\'infoBox\'>\n<DIV CLASS=\'infoBoxTitle\'>External Command Interface</DIV>\nLast Updated: Mon Aug 17 13:26:17 CDT 2020<BR>\nNagios® Core™ 4.2.4 - <A HREF=\'https://www.nagios.org\' TARGET=\'_new\' CLASS=\'homepageURL\'>www.nagios.org</A><BR>\nLogged in as <i>nagiosadmin</i><BR>\n</TD></TR>\n</TABLE>\n</td>\n<td align=center valign=top width=33%>\n</td>\n<td align=right valign=bottom width=33%>\n</td>\n</tr>\n</table>\n<P><DIV CLASS=\'infoMessage\'>Your command request was successfully submitted to Nagios for processing.<BR><BR>\nNote: It may take a while before the command is actually processed.<BR><BR>\n<A HREF=\'javascript:window.history.go(-2)\'>Done</A></DIV></P>\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n</body>\n</html>\n' response code: 200
**** LOG DATA ****
From there, they should be able to troubleshoot at what point within Nagios that command is actually failing, I would think.
Re: Nagios and OpsGenie API issues
So my question is how do you verify that API request worked because we are not seeing the alarm's get ACKed but with the above you see it attempted to send the ACK to nagios.
Re: Nagios and OpsGenie API issues
Now its more of External Command calls from OpsGenie but why is it failing? Is there a number I can call to actually get support to look at this?
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Nagios and OpsGenie API issues
Hi @acentek,
Since there are not obvious errors in the output you posted, let's turn on external command logging and then try to run those commands through Opsgenie and we'll see if we can determine the source of the issue.
Edit the main nagios configuration file at /usr/local/nagios/etc/nagios.cfg and turn on the following option:
Save and restart nagios and see what is logged in the nagios.log files when the next command comes in.
Also, check the Audit Log to see if the command came in and are there any issues executing Acknowledgements vis the XI web interface?
Lastly, a system profile would be helpful to check the package versions and logs for additional information. Thanks, Benjamin
To send us your system profile.
Login to the Nagios XI GUI using a web browser.
Click the "Admin" > "System Profile" Menu
Click the "Download Profile" button
Save the profile.zip file and share in a private message or upload it to the post/ticket, and then reply to this post to bring it up in the queue.
Since there are not obvious errors in the output you posted, let's turn on external command logging and then try to run those commands through Opsgenie and we'll see if we can determine the source of the issue.
Edit the main nagios configuration file at /usr/local/nagios/etc/nagios.cfg and turn on the following option:
Code: Select all
log_external_commands=1
Also, check the Audit Log to see if the command came in and are there any issues executing Acknowledgements vis the XI web interface?
Lastly, a system profile would be helpful to check the package versions and logs for additional information. Thanks, Benjamin
To send us your system profile.
Login to the Nagios XI GUI using a web browser.
Click the "Admin" > "System Profile" Menu
Click the "Download Profile" button
Save the profile.zip file and share in a private message or upload it to the post/ticket, and then reply to this post to bring it up in the queue.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Nagios and OpsGenie API issues
Edited the config
Restarted nagios
Created a service alert.
[1597798025] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;2;inactive
[1597798078] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;3;inactive
[1597798080] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798082] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;4;inactive
[1597798085] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798087] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;HARD;5;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact_2;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact;inactive
Acked in OpsGenie
[1597798109] EXTERNAL COMMAND: ACKNOWLEDGE_HOST_PROBLEM;mautic;2;1;0;Nagios Administrator;Acknowledged by [email protected] via Opsgenie
No Audit log during this timeframe
Sent you profile.zip in PM.
Restarted nagios
Created a service alert.
[1597798025] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;2;inactive
[1597798078] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;3;inactive
[1597798080] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798082] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;4;inactive
[1597798085] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798087] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;HARD;5;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact_2;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact;inactive
Acked in OpsGenie
[1597798109] EXTERNAL COMMAND: ACKNOWLEDGE_HOST_PROBLEM;mautic;2;1;0;Nagios Administrator;Acknowledged by [email protected] via Opsgenie
No Audit log during this timeframe
Sent you profile.zip in PM.
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Nagios and OpsGenie API issues
Hi @acentek,
Thanks for the profile. I see you have opened a ticket for this issue as well, let's continue to troubleshoot this issue via the ticket. I've attached the system profile to that ticket as well.
Thanks for the profile. I see you have opened a ticket for this issue as well, let's continue to troubleshoot this issue via the ticket. I've attached the system profile to that ticket as well.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!