CAC & AD authentication failures

[jmichaelson]

Can you use Wireshark to watch the connections between your log server and AD server? Or telnet to port 636 on the AD server from your log server?

[netgroupnrlssc]

Attached is the error from the Domain Controller. I don't see anything in the settings to create or choose a client certificate.

[DoubleDoubleA]

Is the SSL cert on your Log Server instances self-signed?

[netgroupnrlssc]

I have not enabled https on the log server. Is that cert automatically used for this?

[DoubleDoubleA]

Well, I might have that backwards. "Certificate is not trusted" is usually what the client will say when it connects to, for example, a web server, that uses a self-signed cert.

But in this case, I would expect Log Server is the client attempting to connect to the LDAP server, and that is what the error message seems to say.

This article seems to suggest there is something about client signing with LDAP, though it is not as plainly descriptive as I might like.https://learn.microsoft.com/en-us/previ ... quirements

https://learn.microsoft.com/en-us/troub ... ows-server

But how do you set a Linux host up with that? Here's a Red Hat article https://docs.redhat.com/en/documentatio ... entication

I DON'T use arch, btw: https://wiki.archlinux.org/title/LDAP_authentication

[netgroupnrlssc]

I'm enabling https to ensure there is a valid cert and remove this is as a problem. I'm following the instructions at https://assets.nagios.com/downloads/nag ... S-2024.pdf . The main page at https://<servername>/nagioslogserver loads, but not fully. The css and images do not load. For example https://<servername>/nagioslogserver/media/favicon.ico returns 404, not found; but the http of that url does work.

# tail /var/log/httpd/access_log
128.160.42.50 - - [07/Nov/2024:13:50:53 -0600] "GET /nagioslogserver/media/favicon.ico HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
128.160.42.50 128.160.115.33 128.160.42.50 HTTP/1.1 - GET 304 [07/Nov/2024:13:50:53 -0600] - /nagioslogserver/media/favicon.ico "-"

# tail /var/log/httpd/ssl_access_log
128.160.42.50 - - [07/Nov/2024:13:49:08 -0600] "GET /nagioslogserver/www/media/favicon.ico HTTP/1.1" 404 1130


# cat /etc/httpd/conf.d/ssl.conf | grep -v \#

Code: Select all

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog


SSLCryptoDevice builtin

<VirtualHost _default_:443>
   Options FollowSymLinks

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /usr/local/nagioslogserver/var/certs/nagioslogserver.crt
SSLCertificateKeyFile /usr/local/nagioslogserver/var/certs/nagioslogserver.key



<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|-media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
</IfModule>

<Directory "/var/www/html/nagioslogserver/www/">
   Options FollowSymLinks
   AllowOverride All
   Require all granted
</Directory>

</VirtualHost>

# cat /etc/httpd/conf.d/nagioslogserver.conf | grep -v \#

Code: Select all

Alias /nagioslogserver "/var/www/html/nagioslogserver/www/"

KeepAlive On
MaxKeepAliveRequests 100


LoadModule usertrack_module modules/mod_usertrack.so
LoadModule session_module modules/mod_session.so

<Directory "/var/www/html/nagioslogserver/www/">
   Options FollowSymLinks
   AllowOverride All
   Require all granted
</Directory>

RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]

[netgroupnrlssc]

If my problems have exceeded this forum how do I open a support ticket?

[jmichaelson]

Go here: https://support.nagios.com/; register for access to the customer support portal if you have not already done so, and log in to get in touch with support.