NRDP: Could not connect to NRDP server

[shifty]

Hi gsmith,

where can I find the settings?

Code: Select all

"On your nrdp server go to Admin, Monitoring Config, Unconfigured Objects."

There is no such thing in the NRDP web interface

[gsmith]

Hi Shifty,

My bad, I forgot you were using Core. Let me get a Core server running and I'll get back to you.

Thanks

[gsmith]

hey Shifty,

Just about done getting my systems set up. Looks like you have SSL enabled on
the core machine. Did you configure SSL on the Log Server?

Are ports 443 open in the firewall on both machines?

Thanks

[shifty]

Hi gsmith,

what do you mean exactly with "configure ssl"?. Our ssl certificate from our CA is installed on both machines. both machines are in the same network, there is no firewall between them

[gsmith]

hi

I meant the firewall on each machine.

So you connect to the logserver using: https://192.168.23.89/nagioslogserver/ and NOT http://192.168.23.89/nagioslogserver/ right?
And the core machine: https://192.168.23.92/nagios/ NOT http://192.168.23.92/nagios/ right?

Besides answering the above please provide me with: /usr/local/nrdp/server/config.inc.php from the core machine - you can PM it to
me, just make sure reply to this so I get notified.

Thanks

[shifty]

Hi gsmith,

Firewalls on both mashines are disabled. Yes, i connect to the VM's using HTTPS.

https1.PNG

https2.PNG

Ive send you the config.inc.php

Thank you for your help so far !

[gsmith]

hey,

I am able to repeat the problem.

Run this in a shell on the logserver:

Code: Select all

curl -v -L http://core.server.com/nrdp/

(change core.server.com to your Nagios core server)

It should redirect you to https://core.server.com/nrdp/ and complain about your certificate.

Please send me the output to confirm, in the meantime I will try to think of a workaround.

Thanks

[shifty]

Hi gsmith,

heres the output from the command:

Code: Select all

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying xxx.xxx.xxx.xxx:80...
* TCP_NODELAY set
* Connected to nagioscorehostname.net (xxx.xxx.xxx.xxx) port 80 (#0)
> GET /nrdp/ HTTP/1.1
> Host: nagioscorehostname.net
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 28 May 2021 05:09:18 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Location: https://nagioscorehostname.net/nrdp/
< Content-Length: 314
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
{ [314 bytes data]
100   314  100   314    0     0   153k      0 --:--:-- --:--:-- --:--:--  153k
* Connection #0 to host nagioscorehostname.net left intact
* Issue another request to this URL: 'https://nagioscorehostname.net/nrdp/'
*   Trying xxx.xxx.xxx.xxx:443...
* TCP_NODELAY set
* Connected to nagioscorehostname.net (xxx.xxx.xxx.xxxx) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1874 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [147 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=DE; ST=xxxxxxxxxxxx; L=xxxxxxxxxxxxx; O=xxxxxxxxxx; CN=nagioscorehostname.net
*  start date: Apr 29 11:20:00 2021 GMT
*  expire date: Apr 28 11:20:00 2026 GMT
*  subjectAltName: host "nagioscorehostname.net" matched cert's "nagioscorehostname.net"
*  issuer: C=DE; ST=xxxxxxxxxxxxxx; L=xxxxxxxxxxx; O=xxxxxxxxxxxxx; CN=xxxxxxxxxxx CA1
*  SSL certificate verify ok.
} [5 bytes data]
> GET /nrdp/ HTTP/1.1
> Host: nagioscorehostname.net
> User-Agent: curl/7.68.0
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 28 May 2021 05:09:18 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [5 bytes data]
100 10590    0 10590    0     0   544k      0 --:--:-- --:--:-- --:--:--  544k
* Connection #1 to host nagioscorehostname.net left intact

[gsmith]

That looks pretty good, but the "* Mark bundle as not supporting multiuse" worries me.

What got things working for me was for my log server to trust the cert on the Core (NRDP) server.
So let's try that for you.

My log server is Centos8. I know your's is Ubuntu 20 so we may have to tweak some commands.

On your log server:

Code: Select all

cd /tmp
openssl s_client -showcerts -servername <server> -connect <server>:443 > cacert.pem

note - in above the server name (or IP address is required in two places)

type "quit", followed by the "ENTER" key

**********************************This is FYI only, you do not need to do this:****************************************************************
The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.

If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone with the
curl command line tool: --cacert [file]
**********************************************************************************************************************************************************************


to add to CA certificate store:

Code: Select all

openssl x509 -outform der -in cacert.pem -out cacert.crt

Code: Select all

sudo cp cacert.crt /usr/local/share/ca-certificates

Code: Select all

sudo dpkg-reconfigure ca-certificates 

^^^ this command for Ubuntu 16, if it doesn't work try:

Code: Select all

sudo update-ca-certificates

Good luck!

[shifty]

Hi gsmith,

here is the output from the comands:

Code: Select all

root@logserverdomain:/tmp# openssl s_client -showcerts -servername nagioscoredomain.net -connect nagioscoredomain.net:443 > cacert.pem                                                                                                  

depth=2 C = DE, ST = XXXXXXX, L = XXXXXXXX, O = XXXXXXXXXXXXx, CN = XXXXXXXX Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = DE, ST = XXXXXXXXXXXx, L = XXXXXXXXXx, O = XXXXXXXXXXXXXX, CN = XXXXXXXX Root CA
verify return:1
depth=1 C = DE, ST = XXXXXXXXXXXx, L = XXXXXXXXXXX, O = XXXXXXXXXx, CN = XXXXXXX Intermediate CA1
verify return:1
depth=0 C = DE, ST = XXXXXXXXX, L = XXXXXXXXXXXx, O = XXXXXXXXXXXXx, CN = nagioscoredomain.net
verify return:1

Code: Select all

root@logserverdomain:/tmp# update-ca-certificates

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping RootCAChainIntermediate1.pem,it does not contain exactly one certificate or CRL
rehash: warning: skipping nagioscoredomain.pem,it does not contain exactly one certificate or CRL
rehash: warning: skipping cacert.pem,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:cacert.pem
done.
done.

It looks like theres a problem with the certificate mhh.