Issues after migrating to a new server

[hbouma]

Ok, as a test, I did a clean install of Nagios XI 5.8.6 on a RHEL 8.5 server. It has no other applications installed.

After installing the server, I did the following:
Add Certificate Authority Management certificates.
Configure the LDAP/AD Authentication Servers.
Added 1 user with only AD authentication allowed.
Tested and failed a login to the AD server.

Start tcpdump capture:

Code: Select all

tcpdump -s 0 -i any port <yourldapporthere> -w /tmp/output.pcap

Then run through:

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

Let's get the curl results from the api:

Code: Select all

curl -k --verbose -XPOST "https://yournagioshostaddresshere/nagiosxi/api/v1/system/authserver?apikey=yourapikeyhere&pretty=1" -d "conn_method=ldap&ldap_host=yourldaphostaddresshere&base_dn=fulldistinguished namehere&security_level=ssl"

Commands have been run. I added a few different additional AD and LDAP authentication servers to test. I still cannot log in from the GUI. The tests I have provided are run using a straight install of Nagios XI with no password changes, no offloading of the database, no changes to any settings other than what was listed above.

I will send you a packet capture via PM.

[hbouma]

Also, I was asked by hour Server team to use a new load balanced IP for the AD server. This one connects without issue:

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect REDACTED:636
CONNECTED(00000003)
depth=3 REDACTED
verify return:1
depth=2 REDACTED
verify return:1
depth=1 REDACTED
verify return:1
depth=0 REDACTED
verify return:1
140652498016064:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2157:
---
Certificate chain
0 s:REDACTED
   i:REDACTED
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
---
Server certificate
subject=REDACTED

issuer=REDACTED

---
No client certificate CA names sent
---
SSL handshake has read 2373 bytes and written 308 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1646067949
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


[pbroste]

Hello @hbouma

We are receiving a RST:

Flags: 0x014 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Warning/Sequence): Connection reset (RST)]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A·R··]

Did you get a chance to reach out to your AD Engineer, to find out what is getting logged in the Events?

Thanks,
Perry

[hbouma]

Sorry for the delay. I appear to no longer get notifications when my posts are updated.

We checked out the AD servers, and we see login attempts from my work computer at the time I attempt to authenticate to the Nagios XI web page, but do not see any authentication attempts from the server itself. Is this expected?

2022-03-04 15_03_22-Greenshot image editor.png

[pbroste]

Hello @hbouma

You are correct that we should be event logs on the server when Authentication is attempted. That means that the RST noted in the 'tcpdump' is getting bounced even before it has a chance to log.

Let's turn on some logging:

In your /etc/php.ini find these lines and verify that they are enabled and un-commented:

Code: Select all

log_errors = on
error_log = /var/log/phplogs.log
display_errors = on

Then touch to create:

Code: Select all

touch /var/log/phplogs.log

Restart the Apache by bouncing:

Code: Select all

systemctl restart httpd

Send some logging attempts to capture some logging, please take a look at the '/var/log/phplogs.log'.

Please send over the logging and the output on this: php -r 'phpinfo();'

Thanks,
Perry

[hbouma]

I have made the changes, but no logs are being written. I will be sending you the php.ini and the phpinfo(); output.

[hbouma]

Hello,

I haven't heard anything back and just wanted to check in.

[pbroste]

Hello @hbouma

Want to find out if we are able to connect directly from the Nagios server os:

Code: Select all

yum install openldap-clients -y

Code: Select all

ldapsearch -x -h <yourldapserver> -p <port> -D <username@yourldapdomainname -W -b "dc=searchbasecompany,dc=local" -s -s sub "(cn=*)"

Please let us know the results,
Perry

[hbouma]

LDAP Search from the command line is failing with a complaint about the DH certificate key. I am reaching out from to our server team on this.

Code: Select all

[root@servername~]# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://LOAD_BALANCED_IP -D USER_ACCOUNT -W -b "[i]SEARCH_BASE[/i]" -s sub "(cn=)" -d 999
ldap_url_parse_ext(ldaps://LOAD_BALANCED_IP)
ldap_create
ldap_url_parse_ext(ldaps://LOAD_BALANCED_IP:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP LOAD_BALANCED_IP:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP_ADDRESS
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=263, written=263
CERTIFICATE_INFO
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  16 03 03 00 31                                     ....1
tls_read: want=49, got=49
TLS_INFO
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
  0000:  16 03 03 06 f2                                     .....
tls_read: want=1778, got=1778
TLS_INFO
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: SUBJECT
TLS certificate verification: Error, unable to get local issuer certificate
tls_read: want=5, got=5
  0000:  16 03 03 02 0f                                     .....
tls_read: want=527, got=527
CERTIFICATE_INFO
TLS trace: SSL_connect:SSLv3/TLS read server certificate
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 28                               ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


[pbroste]

Hello @hbouma

Thanks for following up with the results we see that the 'ldapsearch' command is unable to look for and get the valid cert. Let's go ahead and add that exception by adding or commenting out:

/etc/openldap/ldap.conf

TLS_REQCERT allow
TLS_CACERT /path/where/cert/is
TLS_REQCERT demand

Thanks,
Perry