Hello,
DUO has been notifying customers of their existing CA bundle expiring on Feb 2nd 2026. They advise updating any impacted clients/applications to prevent auth or service disruption.
The Nagios XI DUO 2FA Integration reports back to the internal DUO admin report page that it is using 1.0.0 duo_universal_php. I was able to manually update the component/extension within the Nagios host and it successfully addressed the flag the internal DUO admin report in that it no longer shows the DUO component/extension as running an "older" client.
The current version available for duo_universal_php was obtained from: https://github.com/duosecurity/duo_universal_php . Some additional information here: https://help.duo.com/s/article/9451?lan ... Track=true
I believe the System Extensions > Manage Components items are maintained outside the typical Nagios XI release pattern ergo this may be able to be updated by Nagios and pulled by a Nagios XI user prior to the next maintenance release of Nagios XI? That would address the CA bundle and avoid an app impact.
Nagios XI DUO 2FA Integration - CA Bundle
-
DoubleDoubleA
- Posts: 272
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Nagios XI DUO 2FA Integration - CA Bundle
Hi @Alongaks,
Thanks for your notes on this issue.
We're looking at this issue. It does seem to be the case that simply swapping in 1.1.0_duo_universal_php will overcome the cert issue.
At the moment we are looking at simply swapping the new certificates into the 1.0.0_duo_universal_php.
One concern is that the newest version requires php 7.4, which may be problematic for some of our RHEL 8 users.
Aaron
Thanks for your notes on this issue.
We're looking at this issue. It does seem to be the case that simply swapping in 1.1.0_duo_universal_php will overcome the cert issue.
At the moment we are looking at simply swapping the new certificates into the 1.0.0_duo_universal_php.
One concern is that the newest version requires php 7.4, which may be problematic for some of our RHEL 8 users.
Aaron
Re: Nagios XI DUO 2FA Integration - CA Bundle
Hey, Aaron. Appreciate the response.
As an fyi - we have two XI installs - the "prod" node RHEL 8 and PHP 8.4 module active/running; the "test" node is on RHEL 9 and PHP 8.4 module active/running. Both have been fine for us thus far, in general. Of course that doesn't say much for environments that have to hang around older PHP versions for one reason or another.
Another observation - swapping in the new certificates may address the CA bundle expiration by DUO. However, the environment local DUO admin UI will continue to report back the client is non-compliant due to the version it is sending back upon an authentication/login exchange. My environment is a bit more strict and preference is to not require an extension of unsupported clients. I believe this is being served up from either of the following version files:
This one gets updated if updating duo_universal_php entirely.Though I'm not 100% if this is passed at all during the auth/login exchange:
After I did a full "update" of the duo_universal_php stuffs in both of our XI hosts they still reported the former 1.0.0 version in the DUO host, thus non-compliant. After manually updating the version in the installed.* and validating the Client.php version was as expected it then stopped showing up as "old" in the DUO host.
I may make a script that will do a follow-up pass over the DUO plugin after a Nagios XI update to ensure the latest full version is installed. Looking at DUO's GitHub release changes from 1.0.1 - current, they may be benign enough edit the two installed.* files for the minimum required version to suppress the notification in the DUO host.
Again, thanks for taking a look.
As an fyi - we have two XI installs - the "prod" node RHEL 8 and PHP 8.4 module active/running; the "test" node is on RHEL 9 and PHP 8.4 module active/running. Both have been fine for us thus far, in general. Of course that doesn't say much for environments that have to hang around older PHP versions for one reason or another.
Another observation - swapping in the new certificates may address the CA bundle expiration by DUO. However, the environment local DUO admin UI will continue to report back the client is non-compliant due to the version it is sending back upon an authentication/login exchange. My environment is a bit more strict and preference is to not require an extension of unsupported clients. I believe this is being served up from either of the following version files:
Code: Select all
vendor/composer/installed.json
vendor/composer/installed.phpCode: Select all
vendor/duosecurity/duo_universal_php/src/Client.phpAfter I did a full "update" of the duo_universal_php stuffs in both of our XI hosts they still reported the former 1.0.0 version in the DUO host, thus non-compliant. After manually updating the version in the installed.* and validating the Client.php version was as expected it then stopped showing up as "old" in the DUO host.
I may make a script that will do a follow-up pass over the DUO plugin after a Nagios XI update to ensure the latest full version is installed. Looking at DUO's GitHub release changes from 1.0.1 - current, they may be benign enough edit the two installed.* files for the minimum required version to suppress the notification in the DUO host.
Again, thanks for taking a look.
-
DoubleDoubleA
- Posts: 272
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Nagios XI DUO 2FA Integration - CA Bundle
Hi @Alongaks,
Thanks for that additional info.
What we'll do with the next release is update the client, and if someone has a php version conflict they can downgrade the client since it is still available on GitHub.
We expect to have a release with this change prior to Feb 2.
Aaron
Thanks for that additional info.
What we'll do with the next release is update the client, and if someone has a php version conflict they can downgrade the client since it is still available on GitHub.
We expect to have a release with this change prior to Feb 2.
Aaron
Re: Nagios XI DUO 2FA Integration - CA Bundle
Was this supposed to be addressed in the latest update? (2026R1.1.1) I see in the changelog:
Updated DUO Component CA Certificates [GL:XI#2330] - BR
Updated DUO Component Version to work with new certificates [GL:XI!2122] - BR
Updated links within DUO Component with up-to-date instructions [GL:XI!2110] - BR
but it looks like it is still using duo_universal_php1.0.0 ? (duo still sees nagios 2026R1.1.1 as being non compliant)
Are there more patches incoming related to this?
Thanks
Updated DUO Component CA Certificates [GL:XI#2330] - BR
Updated DUO Component Version to work with new certificates [GL:XI!2122] - BR
Updated links within DUO Component with up-to-date instructions [GL:XI!2110] - BR
but it looks like it is still using duo_universal_php1.0.0 ? (duo still sees nagios 2026R1.1.1 as being non compliant)
Are there more patches incoming related to this?
Thanks
-
DoubleDoubleA
- Posts: 272
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Nagios XI DUO 2FA Integration - CA Bundle
Hi @yaks,
Apologies, there was an issue with the update file for Nagios XI 2026R1.1.1. I'll have a new sticky thread regarding that shortly.
Aaron
Apologies, there was an issue with the update file for Nagios XI 2026R1.1.1. I'll have a new sticky thread regarding that shortly.
Aaron
-
DoubleDoubleA
- Posts: 272
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Nagios XI DUO 2FA Integration - CA Bundle
Following this as I have been made aware by our identity team that this will be an issue for us as of March 31st. Will there be an update or (supported) workaround available for XI 2024 (ie. downloading the updated duo_universal_php)?
Thanks...John
Thanks...John