Page 2 of 2
Re: Configuration write failed - Dataset not found - Please help
Posted: Mon Apr 12, 2010 4:31 pm
by mmestnik
There we go. You can install your self-signed cert as an accepted CA.
Should be an ssl folder with a ca or CA folder in it. You copy the file in with any name(normal convention) then you create a symbolic link to this file from a hex representation of the key. Should be a document some where on the web for how to do this...
You know the key for 127.0.0.1 and localhost would be usable on almost every computer. You can also setup tinyca, but then you still have to figure out how to insert your own cert into the trusted roots.
Good luck attempting to master the use of HTTPS, it's not so easy is it!
Re: Configuration write failed - Dataset not found - Please help
Posted: Mon Apr 12, 2010 5:11 pm
by edgeweb
I think this would be the instructions you mean:
http://gagravarr.org/writing/openssl-ce ... ed-openssl
Thanks,
Dave
Re: Configuration write failed - Dataset not found - Please help
Posted: Tue Apr 13, 2010 12:46 pm
by mmestnik
Yes, that's it. The simple version is this, my best stab at for dummies:
First ensure there is only one certificate in this PEM formatted file. Normally you would create a symbolic link for a meaningful name of the CA to the hash value, rather than renaming the CA certificate. Look up the hash value.
In either /usr/share/ssl/ or /etc/pki/tls/ and why not both, whatever exists.
Run this program after changing the first line:
Code: Select all
file=/path2file
[ $(( $(grep 'BEGIN.* CERTIFICATE' < $file | wc -l) )) -eq 1 ] && {
key=$(openssl x509 -hash -noout -in $file).0
echo "This is a good PEM file with key $key."
for ech in /usr/share/ssl /etc/pki/tls
do [ -f $ech -a -w $ech ] && {
cp -f $file $ech; ln -s $(basename $file) ${ech}/${key}
}
done
}
Re: Configuration write failed - Round 3 - Dataset not found
Posted: Tue Apr 13, 2010 4:42 pm
by mmestnik
edgeweb wrote:The only thing I would add to another post is that it seems to be working fine now, all SSL for my users (which makes me happy, and more importantly my auditors happy).
Thanks,
Dave
Status MAP on SSL
Posted: Sun May 02, 2010 11:43 pm
by bugtoo
Hello,
If I access NagioXI using SSL, the network image from the home page link is not generated.
Any ideas?
Thanks!
Re: Status MAP on SSL
Posted: Mon May 03, 2010 10:03 am
by mmestnik
We don't supply an https transport. Yes, this sounds like the localhost certificate problem.
You will want to read
this whole thread carefully and make sure you satisfy all the constraints of using https.
nagios using HTTPS
Posted: Mon Jun 07, 2010 8:50 am
by dxf1
HI Can the nagios server be accessed using https and if so what changes are required in the config files
Many Thanks Dave
Re: SSL Issues: Configuration write failed - Dataset not found
Posted: Wed Jan 19, 2011 12:14 pm
by nauessp
This was a very frustrating problem for us as well.
Our policy is that all web servers should use SSL. We also require an SSL certificate signed by a recognized authority. All http connections are to be redirected (i.e. rewritten) to https. Really, I can't imagine not using SSL for any production web server.
I tried several work arounds after my initial tries failed. Using a separate, self-signed certificate for localhost sounds like a management nightmare and a bit of a hack job. I also considered blocking port 80 using something like iptables, but this strikes me as an incomplete solution.
I came up with this solution using mod_rewrite:
Code: Select all
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !localhost [NC]
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R]
This rewrites anything not https and not connecting to localhost. (And connections to
http://localhost are left alone.) This seems to be working, and I'm able to write config files and I can see everything we've set up so far. I also see the entries in the access_log where the backend Nagios bits are connecting to localhost. Everything else is rewritten to https and is visible in the ssl_access_log.
This also means I did not need to change the "Program URL:" in the Nagios System Settings to point to https. I left this completely alone and it seems to be working. If anyone sees a problem with this solution, please let me know.
Also, is there a good place to request future Nagios XI releases are SSL friendly?