Page 2 of 2
Re: Configuring NagiosXI for HTTPS
Posted: Wed Jul 06, 2016 4:19 pm
by rkennedy
bhowardFSU wrote:I'm having the same issue, following the same documentation. I agree, the documentation is faulty.
Followed documentation from:
https://assets.nagios.com/downloads/nag ... s%20XI.pdf
Adding the Rewrite rules to the httpd.conf as per the instructions:
Code: Select all
echo 'RewriteEngine On' >> /etc/httpd/conf/httpd.conf
echo 'RewriteCond %{HTTPS} off' >> /etc/httpd/conf/httpd.conf
echo 'RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}' >> /etc/httpd/conf/httpd.conf
With these lines in the httpd.conf, "Apply Configuration" in the CCM causes the "Waiting for configuration verification......." with endless dots. This is with Nagios XI 5.2.8 on a fresh install (I'm setting up a new server from scratch).
If I comment out the lines and restart apache, it works fine. I need to have this working, we can't have production logins on http.
I'm unsure if these are related so I need a few pieces of information.
What URL are you accessing XI with? Also, please post your /etc/hosts file. I suspect the loop is occuring from the %{HTTP_HOST} part, which is probably not pointing at itself. (127.0.0.1)
Lastly, please post a screenshot of your Admin -> System Settings page.
Re: Configuring NagiosXI for HTTPS
Posted: Wed Jul 06, 2016 4:28 pm
by rkennedy
For the record, I just ran through our SSL document on a fresh 5.2.9 machine and it worked without issue. Here is everything I ran (some non-relevant lines removed) -
Code: Select all
40 openssl genrsa -out ca.key 2048
42 openssl req -new -key ca.key -out ca.csr
44 openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
45 cp ca.crt /etc/pki/tls/certs
46 cp ca.key ca.csr /etc/pki/tls/private/
49 chmod go-rwx /etc/pki/tls/private/ca.key
50 chmod go-rwx /etc/pki/tls/certs/ca.crt
51 sed -i 's#^SSLCertificateFile.*#SSLCertificateFile /etc/pki/tls/certs/ca.crt#g' /etc/httpd/conf.d/ssl.conf
52 sed -i 's#^SSLCertificateKeyFile.*#SSLCertificateKeyFile /etc/pki/tls/private/ca.key#g' /etc/httpd/conf.d/ssl.conf
53 echo 'RewriteEngine On' >> /etc/httpd/conf/httpd.conf
54 echo 'RewriteCond %{HTTPS} off' >> /etc/httpd/conf/httpd.conf
55 echo 'RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}' >> /etc/httpd/conf/httpd.conf
56 service httpd restart
57 sed -i "s#^\$cfg\['use_https'\].*#\$cfg\['use_https'\] = true\;#g" /usr/local/nagiosxi/html/config.inc.php
I then updated the Program URL: to use https://, and Apply configuration works without a hiccup. I believe this issue is most likely related to what I mentioned above, relating to DNS.
Re: Configuring NagiosXI for HTTPS
Posted: Tue Jul 12, 2016 4:39 am
by Fred Kroeger
In the interests of getting a resolution to this - the following is an edited excerpt of the NagiosXI Profile
Code: Select all
Nagios XI Installation Profile
System:
Nagios XI Version : 5.2.9
server200.x.com.au 2.6.32-220.7.1.el6.x86_64 x86_64
CentOS release 6.2 (Final)
Gnome is not installed
Apache Information
PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Server Name: server200
Server Address: 10.1.1.200
Server Port: 443
Date/Time
PHP Timezone: Australia/Perth
PHP Time: Tue, 12 Jul 2016 17:26:44 +0800
System Time: Tue, 12 Jul 2016 17:26:44 +0800
Nagios XI Data
License ends in: MMURRN
nagios (pid 28439) is running...
NPCD running (pid 561).
ndo2db (pid 13406) is running...
CPU Load 15: 0.22
Total Hosts: 17
Total Services: 165
Function 'get_base_uri' returns: https://server200/nagiosxi/
Function 'get_base_url' returns: https://server200/nagiosxi/
Function 'get_backend_url(internal_call=false)' returns: https://server200/nagiosxi/includes/components/profile/profile.php
Function 'get_backend_url(internal_call=true)' returns: https://localhost/nagiosxi/backend/
Ping Test localhost
Running:
/bin/ping -c 3 localhost 2>&1
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.020 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.033 ms
--- localhost.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.028/0.033/0.008 ms
Test wget To localhost
WGET From URL: https://localhost/nagiosxi/includes/components/ccm/
Running:
/usr/bin/wget https://localhost/nagiosxi/includes/components/ccm/
--2016-07-12 17:26:46-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:443... connected.
ERROR: cannot verify localhost's certificate, issued by "/C=AU/ST=WA/L=Perth/O=XXX/CN=server200":
Self-signed certificate encountered.
ERROR: certificate common name "server200" doesn't match requested host name "localhost".
To connect to localhost insecurely, use '--no-check-certificate'.
Code: Select all
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
Re: Configuring NagiosXI for HTTPS
Posted: Tue Jul 12, 2016 9:35 am
by rkennedy
This is probably the issue -
Code: Select all
ERROR: certificate common name "server200" doesn't match requested host name "localhost".
To connect to localhost insecurely, use '--no-check-certificate'.
Can you re-create the self signed certificate for localhost?
Otherwise, we may need to make other changes. Can you post a screenshot of your Admin -> System Settings page? Also, what URL / hostname are you using to access the web GUI?
Re: Configuring NagiosXI for HTTPS
Posted: Thu Jul 14, 2016 7:48 pm
by Fred Kroeger
So now we're back to my my original post in this thread ?
There is nothing in the doco about having to create a cert for the local host?
Access to the gui is
https://server200/nagiosxi
Code: Select all
Nagios XI Installation Profile
System:
Nagios XI Version : 5.2.9
server200.XXX.com.au 2.6.32-220.7.1.el6.x86_64 x86_64
CentOS release 6.2 (Final)
Gnome is not installed
Apache Information
PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Server Name: server200
Server Address: 10.X.X.X
Server Port: 443
Date/Time
PHP Timezone: Australia/Perth
PHP Time: Fri, 15 Jul 2016 08:38:09 +0800
System Time: Fri, 15 Jul 2016 08:38:09 +0800
Nagios XI Data
License ends in: MMURRN
nagios (pid 4956) is running...
NPCD running (pid 561).
ndo2db (pid 13406) is running...
CPU Load 15: 0.18
Total Hosts: 29
Total Services: 290
Function 'get_base_uri' returns: https://server200/nagiosxi/
Function 'get_base_url' returns: https://server200/nagiosxi/
Function 'get_backend_url(internal_call=false)' returns: https://server200/nagiosxi/includes/components/profile/profile.php
Function 'get_backend_url(internal_call=true)' returns: https://localhost/nagiosxi/backend/
Ping Test localhost
Running:
/bin/ping -c 3 localhost 2>&1
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms
--- localhost.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.035/0.036/0.037/0.000 ms
Test wget To localhost
WGET From URL: https://localhost/nagiosxi/includes/components/ccm/
Running:
/usr/bin/wget https://localhost/nagiosxi/includes/components/ccm/
--2016-07-15 08:38:11-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:443... connected.
ERROR: cannot verify localhost's certificate, issued by "/C=AU/ST=WA/L=Perth/O=X/CN=server200":
Self-signed certificate encountered.
ERROR: certificate common name "server200" doesn't match requested host name "localhost".
To connect to localhost insecurely, use '--no-check-certificate'
Re: Configuring NagiosXI for HTTPS
Posted: Fri Jul 15, 2016 10:05 am
by rkennedy
Fred,
My suggestion was to fix the certificate, the other solution is to figure out where the reference and why localhost isn't working properly. Nagios should be using --no-check with most wgets, but this one seems to be different.
See my original comment -
Code: Select all
Otherwise, we may need to make other changes. Can you post a screenshot of your Admin -> System Settings page? Also, what URL / hostname are you using to access the web GUI?
As this has been going on a month now, I'd like to get it resolved for you. Is submitting a ticket in, so that we can get a remote scheduled to fix this once and for all possible?
Re: Configuring NagiosXI for HTTPS
Posted: Tue Jul 19, 2016 1:06 pm
by bhowardFSU
I believe I was able to resolve my issue. Instead of using the RewriteRule, I created a NameVirtualHost and with a 'Redirect /
https://my.host.name/', then used NameVirtualHost in ssl.conf as well. After that I was able to use the CCM and deploy new configurations and I was able to upgrade from 5.2.8 to 5.2.9 through the GUI. Both of these were tasks that failed when I did https the other way. I guess this is what happens when you setup a physical host instead of downloading the pre-built VM image.
Re: Configuring NagiosXI for HTTPS
Posted: Tue Jul 19, 2016 4:35 pm
by rkennedy
bhowardFSU wrote:I believe I was able to resolve my issue. Instead of using the RewriteRule, I created a NameVirtualHost and with a 'Redirect /
https://my.host.name/', then used NameVirtualHost in ssl.conf as well. After that I was able to use the CCM and deploy new configurations and I was able to upgrade from 5.2.8 to 5.2.9 through the GUI. Both of these were tasks that failed when I did https the other way. I guess this is what happens when you setup a physical host instead of downloading the pre-built VM image.
Thanks for letting us know how you fixed it @bhowardFSU. The hard thing is that each apache configuration could vary slightly, and unfortunately, every little part of configuration matters.
Fred - see if this helps, and I'll watch for your response.