Nagios Support Forum

Firstly, Apache has know way of knowing about client certificate errors. What the server sees is the client says good bye after the server provided the certificate. This is for security, the client has already decided it's can't trust the server and it's treated as hostile and no information about why is exposed. The server dosen't treat this as an error, it's the same as though a pipeline request asked for 3 URL's instead of 4 or 4 URLs and not 5 or 5 URLs and not 6... ...or 10094 URLs and not 10095.

I'm sure using redirects will break other things. As I said b4 you should only need port 80 on the loop back interface, so you can as you say make sure all of your traffic is encrypted... You just can't encrypt all of you memory. Using 127.0.0.1 does not generate any Ethernet traffic, just TCP/IP frames passed from one application to another internally no physical hardware is evolved.

You should be able to use a certificate that has 127.0.0.1 and localhost listed as alternate names.

I created a procedure on how to enable SSL in Nagios XI
Previously posted at http://support.nagios.com/forum/viewtopic.php?f=6&t=125.

Problem #1
I have since discovered that when CCM is set to https "Apply Configuration" ceases to function correctly.

Here is how the problem is reproducable:

• Login to CCM
  Click the menu Config Manager Admin and then click Config Manager Settings
  Change Server protocol to https
  Click the Save button

Once I do this I go to the localhost PING service and duplicate it. I edit the copy, fix the name so it's PING TEST and click Save.
I click the Apply Configuration button.
After clicking Apply Configuration I get the error that the configuration did not apply properly.

The details are:

• Nagios Core 3.2.0
  Copyright (c) 2009 Nagios Core Development Team and Community Contributors
  Copyright (c) 1999-2009 Ethan Galstad
  Last Modified: 08-12-2009
  License: GPL
  
  Website: http://www.nagios.org
  Reading configuration data...
  Read main config file okay...
  Processing object config directory '/usr/local/nagios/etc/static'...
  Processing object config file '/usr/local/nagios/etc/static/xiobjects.cfg'...
  Processing object config file '/usr/local/nagios/etc/static/xitemplates.cfg'...
  Processing object config file '/usr/local/nagios/etc/static/xitest.cfg'...
  Processing object config file '/usr/local/nagios/etc/contacttemplates.cfg'...
  Processing object config file '/usr/local/nagios/etc/contactgroups.cfg'...
  Processing object config file '/usr/local/nagios/etc/contacts.cfg'...
  Processing object config file '/usr/local/nagios/etc/timeperiods.cfg'...
  Processing object config file '/usr/local/nagios/etc/commands.cfg'...
  Processing object config file '/usr/local/nagios/etc/hostgroups.cfg'...
  Processing object config file '/usr/local/nagios/etc/servicegroups.cfg'...
  Processing object config file '/usr/local/nagios/etc/hosttemplates.cfg'...
  Processing object config file '/usr/local/nagios/etc/servicetemplates.cfg'...
  Processing object config file '/usr/local/nagios/etc/servicedependencies.cfg'...
  Processing object config file '/usr/local/nagios/etc/serviceescalations.cfg'...
  Processing object config file '/usr/local/nagios/etc/hostdependencies.cfg'...
  Processing object config file '/usr/local/nagios/etc/hostescalations.cfg'...
  Processing object config file '/usr/local/nagios/etc/hostextinfo.cfg'...
  Processing object config file '/usr/local/nagios/etc/serviceextinfo.cfg'...
  Processing object config directory '/usr/local/nagios/etc/hosts'...
  Processing object config file '/usr/local/nagios/etc/hosts/localhost.cfg'...
  Processing object config directory '/usr/local/nagios/etc/services'...
  Processing object config file '/usr/local/nagios/etc/services/localhost.cfg'...
  Error: Template 'linux-server' specified in host definition could not be not found (config file '/usr/local/nagios/etc/hosts/localhost.cfg', starting on line 14)
  Error processing object config files!
  
  
  ***> One or more problems was encountered while processing the config files...
  
  Check your configuration file(s) to ensure that they contain valid
  directives and data defintions. If you are upgrading from a previous
  version of Nagios, you should be aware that some variables/definitions
  may have been removed or modified in this version. Make sure to read
  the HTML documentation regarding the config files, as well as the
  'Whats New' section to find out what has changed.

I then click Try Again it tells me that it was successful.
I click the Continue button and it takes me back to the services section.
The duplicated PING TEST says Out of Sync[/list]

No matter how many times I click the Apply Configuration button it tells me that it was successfully applied however the service is always Out of Sync.
Also, if I go and create another service the same issue continues, it tells me that it was successfully applied however all of the new the services are always Out of Sync

I go back to Config Manager Settings and Change Server protocol to http.
I then click Apply Configuration and it successfully applies. The Sync Status now says Synced for all of my new services.


Is my procedure correct? Is there something I am missing that is causing the problem?


Problem #2
Using IE:
I go to the Manage Configuration Snapshots section
I click either the Download or View Output icon
I get the error "Unable to download coreconfigsnapshots from xibase.ed.local" Unable to open this Internet site .......
However if I open Firefox and try either the Download or View Output icon it works fine.


Problem #3
Using IE:
I click the Home link
I click the Monitorig Process link
I get a Security Warning window saying "Do you want to view only the webpage content that was delivered securely?

Using Firefox:
I click the Home link
I click the Monitorig Process link
I get a Security Warning window saying "You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."

Is my procedure correct? Is there something I am missing that is causing the problem?

Everything above has been using 2009R1.1F.

Thanks
Troy

I think the fix for this was to include both localhost and 128.0.0.1 as alternate names in the cert used for SSL.

Glad to see this is resolved Dave.

well, mostly resolved. Yes, I understand why the connection was failing to localhost over SSL. As for the redirect, that was not something I configured or added, it is NagiosQL. Port 80 is indeed open, the localhost can connect, but if the protocol is set to "https" then NagiosQL performs a redirect to the https URL, upon which the wget call fails. As for the cert, it is a commercial cert, not self signed, so adding an additional hostname is not practical. One option would be to modify the script and add "--no-check-certificate" to the wget command. Because the connection is to the localhost, the chances of something like a MitM attack would be lower (if I've compromised the host, performing a mitm attack against a script connecting to the localhost would be a lot of work with little reward). That said, it is a consideration.

So the problem right now is that I would have to have a self-signed cert, not the commercial certificate. So, as I see it, there would be a few possible solutions:
1. Apply a self-signed cert which includes "localhost" as a common name which is bound in Apache to 127.0.0.1
2. Modify the export_nagiosql.sh to include "--no-check-certificate" in the arguments for wget
3. Modify the cron scripts to use the correct name (the one entered into the "program url" in the System Settings area).
3. Modify the NagiosQL scripts to not perform a redirect for connections from the localhost.

The summary here is that if I am in a situation where I am using a commercial certificate, there are some configuration/modifications that need to be done to have both NagiosXI functioning properly, and also make sure that my users are connecting using only an HTTPS connection. That said, none of that is documented. So my request would be that someone provide a way that I can use a commercial cert, force the HTTPS connection for my users, and still have XI functioning correctly. Call it a feature request, bug, whatever, it seems like something I should be able to get from a commercial product.

Thanks,

Dave

Generate a self signed cert. Configure another/separate listener for 127.0.0.1:443, ALA virtual hosts using SSL all get a uniq IP address.

Sorry for this inconsistent manner that we use for re-accessing the applications. I'm almost positive you are getting a cert error in some cases and connecting over http in others.

No problem,
I'm just saying that it is something I am sure others would like (forcing end users, in my case technicians, to use HTTPS rather than HTTP), so it would be useful to integrate it into the product or provide an easier way for administrators to.

Thanks,

Dave

I generated a new self-signed cert and added it to the apache config:
<VirtualHost localhost:443>
ServerName localhost # keep apache from complaining about cn mismatch
SSLEngine on
SSLCertificateFile /path/to/localhost.crt
SSLCertificateKeyFile /path/to/localhost.key
</VirtualHost>

Still no love. Wget complains:
Connecting to localhost|127.0.0.1|:443... connected.
ERROR: cannot verify localhost's certificate, issued by `/C=US/ST=******/L=*****O=****/OU=**/CN=localhost/emailAddress=*******':
Self-signed certificate encountered.

So it looks like the self signed cert may not do it.

Thanks,

Dave

The cert needs 127.0.0.1 as an alternate name. It's tricky how to do that last time I did this I had to copy the config file hand edit it and then pass it as a parameter.

http://www.openssl.org/docs/apps/x509v3 ... tive_Name_

I gave it a show, but wget still complains. It's not a problem with a hostname/CN mismatch, it's complaining that it is a self-signed cert (I'm guessing because it is an unknown CA).

Thanks,

Dave