Nagios Support Forum

It looks like it expired yesterday so in addition to my original problem, I now also have an expired cert.

# curl -vvIk https://nagiosxi
* About to connect() to nagiosxi port 443 (#0)
* Trying 10.204.240.199... connected
* Connected to nagiosxi (10.204.240.199) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: E=root@nagiosxi,CN=ut528,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* start date: Feb 04 17:01:38 2015 GMT
* expire date: Feb 04 17:01:38 2016 GMT
* common name: nagiosxi
* issuer: E=root@nagiosxi,CN=ut528,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: nagiosxi
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 05 Feb 2016 22:16:02 GMT
Date: Fri, 05 Feb 2016 22:16:02 GMT
< Server: Apache/2.2.15 (Red Hat)
Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: PHP/5.3.3
X-Powered-By: PHP/5.3.3
< Connection: close
Connection: close
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
* Closing connection #0

Are you able to issue a new certificate, and see if this issue persists? It may resolve on it's own once you update the certificate.

It appears the http server is configured to use /etc/pki/tls/certs/localhost.crt

# grep -i crt /etc/httpd/conf.d/*conf
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

I tried creating a new localhost.crt using the following, but when I tried to restart httpd, it fails.
openssl req -new -x509 -newkey rsa:2048 -keyout localhost.key -nodes -days 3650 -out localhost.crt

Is there some documentation I should be following to do this? I did not configure this so I am guessing the XI installer did so.

This guide shows you how to generate it:

https://assets.nagios.com/downloads/nag ... s%20XI.pdf

XI doesn't install the certificates, the default openssl yum package may though.

Thanks for that. I was able to create a new localhost.crt and localhost.key file and restart httpd. I now get the following when issuing curl from a client:

$ curl -vvlk https://nagiosxi
* About to connect() to ut528 port 443 (#0)
* Trying 10.204.240.199... connected
* Connected to nagiosxi (10.204.240.199) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=nagiosxi,OU=IT,O=Unigroup,L=Fenton,ST=Missouri,C=US
* start date: Feb 08 18:55:58 2016 GMT
* expire date: Feb 05 18:55:58 2026 GMT
* common name: nagiosxi
* issuer: CN=nagiosxi,OU=IT,O=Unigroup,L=Fenton,ST=Missouri,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: nagiosxi
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 09 Feb 2016 16:41:31 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: PHP/5.3.3
< Content-Length: 2999
< Connection: close

However, if my nrds.cfg file looks like this:
URL="https://nagiosxi/nrdp/"
I get the following error when trying to run the nrds.pl cron job from same client
$ /usr/local/nrdp/clients/nrds/nrds.pl -H 'clienthost'
ERROR: could not connect to NRDP server at https://nagiosxi/nrdp/

if I change my nrds.cfg file to use http rather than https as shown below, the nrds.pl script works without error.
URL="http://nagiosxi/nrdp/"

Can you post your entire nrds.cfg file for us to take a look at?

CONFIG_VERSION="2.1"
CONFIG_OS="Linux"
CONFIG_NAME="Linux_standard_checks"
URL="https://nagiosxi/nrdp/"
TOKEN="xxxxxxxxxxx"
PLUGIN_DIR="/usr/local/nagios/libexec"
SEND_NRDP="/usr/local/nrdp/clients/send_nrdp.sh"
TMPDIR="/usr/local/nrdp/clients/tmp"
COMMAND_PREFIX=""
LOG_FILE="/logs/techserv/nagios/nrds.log"
UPDATE_CONFIG="1"
UPDATE_PLUGINS="1"


command[check_cpu_linux]=/usr/local/nagios/libexec/check_cpu_linux.sh -w 10 -c 5 -t id
command[check_swap_linux]=/usr/local/nagios/libexec/check_swap_linux -w 60 -c 80
command[check_all_linux]=/usr/local/nagios/libexec/check_all_linux -f /usr/local/nagios/etc/check_all_linux.cfg
command[check_fsspace_linux]=/usr/local/nagios/libexec/check_fsspace_linux -f /usr/local/nagios/etc/check_fsspace_linux.cfg

This looks good, can you also post /usr/local/nrdp/server/config.inc.php from your XI machine?

<?php
// NRDP Config File
// Copyright (c) 2010 Nagios Enterprises, LLC.
// License: Nagios Open Software License <http://www.nagios.com/legal/licenses>
//
// $Id: config.inc.php 3124 2015-01-22 21:14:52Z jomann $


// an array of one or more tokens that are valid for this NRDP install
// a client request must contain a valid token in order for the NRDP to response or honor the request
// NOTE: tokens are just alphanumeric strings - make them hard to guess!
$cfg['authorized_tokens']=array("xxxxxxxxxxxxx",);

// do we require that HTTPS be used to access NRDP?
// set this value to 'false' to disable HTTPS requirement
$cfg["require_https"]=false;

// do we require that basic authentication be used to access NRDP?
// set this value to 'false' to disable basic auth requirement
$cfg["require_basic_auth"]=false;

// what basic authentication users are allowed to access NRDP?
// comment this variable out to allow all authenticated users access to the NRDP
$cfg["valid_basic_auth_users"]=array();

// the name of the system group that has write permissions to the external command file
// this group is also used to set file permissions when writing bulk commands or passive check results
// NOTE: both the Apache and Nagios users must be a member of this group
$cfg["nagios_command_group"]="nagcmd";

// full path to Nagios external command file
$cfg["command_file"]="/usr/local/nagios/var/rw/nagios.cmd";

// full path to check results spool directory
$cfg["check_results_dir"]="/usr/local/nagios/var/spool/checkresults";

// full path to directory where temp scratch files can be written
// NOTE: the Apache user need to be able create files here, and the Nagios user needs to read/delete those same files, so the /tmp system directory won't work (it has a sticky bit on it)
$cfg["tmp_dir"]="/usr/local/nagiosxi/tmp";

// Should we allow external commands? Set to TRUE or FALSE (Boolean, not a string)
$cfg["disable_external_commands"]=false;

///////// DONT MODIFY ANYTHING BELOW THIS LINE /////////

$cfg['product_name']='nrdp';
$cfg['product_version']='1.3.1';

Can you change the false to true, and then run service httpd restart?

Let us know if this works.