Error: Could not parse XML from https://serve_name/nagiosxi/

[taandrews]

There might be a few typos below because I hand typed this.

*About to connect() to my_IP-address port 443 (#0)
*Trying my_IP-address...connected
*Connected to my_IP-address (my_IP-address) port 443 (#0)
*Initializing NSS with certparth: path_to_cert
*warning: ignoring value of ssl.verifyhost
*skipping SSL peer certificate verification
*NSS: client certificate not found (nickname not specified)
*NSS error -12227
*Closing connection #0
curl: (35) NSS: client certificate not found (nickname not specified)

I am researching this error. I also tried the command on a working server and got alot of output. Seems to be cert related.

I think we are getting closer!

[dwhitfield]

I have ckeck all logs in /var/log/httpd - Nothing is being printed to the log when using the new nagiosadmin's ticket.

So, now that we are pretty sure there is an ssl problem, I wonder if you can go back and look at the ssl_access_log, ssl_error_log, and ssl_request_log. You don't need to worry about the new ticket. That was a workaround.

I'm curious about a number of things that came up during my testing. Are you using yum? rpm -e --nodeps openssl-libs-1.0.1e-60 meant neither curl nor yum worked for me. It looks like openssl-libs is not required for 5 or 6.

If you use yum, you might want to take a look at yum.log. Perhaps some updates in ssl-land caused this to start. Do you have any files that are locked against upgrading? That could be a source of issues.

[taandrews]

I have been going through old emails from Sean Sax on your support team. I was getting the curl: (35) NSS: client certificate not found (nickname not specified) when trying to query the certificate authority. He instructed me to make changes to the following files:

nagiosql_delete_contact.php
nagiosql_delete_host.php
nagiosql_delete_service.php
nagiosql_delete_timeperiod.php
nagiosql_exportall.php
nagiosql_importall.php
nagiosql_login.php
/usr/local/nagiosxi/html/includes/utilsx.inc.php
/usr/local/nagiosxi/html/includes/components/xicore/downtime.php

I had to add the path to my cert, key and cacert to these files. It worked back then. Somehow all of these files have been changed. We dont have a configuration management tool that would revert these files back to the original.

I have made those changes to no avail. Also I do not have openssl-libs-1.0.1e installed nor is it in my repo. When I configure the server to use SSL only with the CA server it works fine. According to the ssl_error.log it works perfectly fine with the CA configured

[dwhitfield]

Also I do not have openssl-libs-1.0.1e installed nor is it in my repo.

I understand that. What I'm trying to get at is why curl works for you without openssl-libs, but not for me. Are you running CentOS/RHEL 7.2, 7.3, or something else? I'm trying to get my system as much like yours to try to recreate the issue.

Are you still running the same version of XI you did when you worked with Sean? Upgrading XI would have overwritten those changes.

[taandrews]

I am running CentOS 6.8 Final. Nagios hasnt been upgraded since I installed it. (5.2.0)

[tmcdonald]

It might be statically-compiled. Run the following as root and post the output here:

Code: Select all

file /usr/bin/curl
ldd /usr/bin/curl

Might need to change the path to curl, but probably not.

[taandrews]

As mentioned I can not paste the results to any logs or commands.
For shorter outputs I can hand type them.

File /usr/bin/curl
/usr/bin/curl: ELF 64-bit LBS executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped

The output for ldd /usr/bin/curl is too long to type. Can you send your ldd /usr/bin/curl output so I can compare?

[dwhitfield]

From 6.8

Code: Select all

ldd /usr/bin/curl
        linux-vdso.so.1 =>  (0x00007fff5915f000)
        libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007fde9744e000)
        libidn.so.11 => /lib64/libidn.so.11 (0x00007fde9721c000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fde96fca000)
        librt.so.1 => /lib64/librt.so.1 (0x00007fde96dc2000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fde96b7e000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fde96896000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fde9666a000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fde96466000)
        libssl3.so => /usr/lib64/libssl3.so (0x00007fde96222000)
        libsmime3.so => /usr/lib64/libsmime3.so (0x00007fde95ff5000)
        libnss3.so => /usr/lib64/libnss3.so (0x00007fde95cb5000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007fde95a88000)
        libplds4.so => /lib64/libplds4.so (0x00007fde95884000)
        libplc4.so => /lib64/libplc4.so (0x00007fde9567f000)
        libnspr4.so => /lib64/libnspr4.so (0x00007fde95440000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fde95223000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fde9501f000)
        libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007fde94df6000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fde94be0000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fde9484c000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fde9463c000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fde94422000)
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fde94208000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fde976af000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fde93ffc000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fde93df9000)
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fde93b8b000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007fde937a7000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fde93570000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fde93350000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007fde9314d000)

[taandrews]

I have 32 lines of output with no errors just like yours. I'm not sure what the hex means but mine is more or less the same as your output.

[ssax]

Does your /usr/local/nagios/libexec/check_nagiosxiserver.php file still have your client certificates on the curl request?

Change this code:

Code: Select all

$response = curl_exec($ch);

To this:
- Make sure to change the crt and key file to the proper ones.

Code: Select all

curl_setopt($ch, CURLOPT_SSLCERT, '/usr/local/nagiosxi/html/yourclientcert.crt');
curl_setopt($ch, CURLOPT_SSLKEY, '/usr/local/nagiosxi/html/youclientcertkey_nopass.key');
$response = curl_exec($ch);

Let us know the results.