Page 1 of 1
Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 12:52 pm
by rkymtnhigh
I was attempting to change the CentOS hostname so our Nagios server would quit getting blacklisted by Microsoft, when after a reboot I could no longer access the https webpage.
After checking the httpd error logs, I see where it's telling me the certificate name does not match the hostname.
I've reversed all my changes, but the issue remains after another reboot.
Any ideas where I need to put the old hostname back?
Thank you.
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 2:02 pm
by rkennedy
Why was your server getting blacklisted from Microsoft? I don't believe changing the hostname would have much affect with this.
When you initially changed your hostname, what method did you use?
Also, can you post the exact error logs you are seeing in your ssl_error_log?
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 2:07 pm
by rkymtnhigh
I came across something from Microsoft saying that the emails being sent from nagios werent matching the hostname of the server. Something like that.
Anyways, I set the new hostname in /etc/sysconfig/network and also /etc/hosts. I also changed it in /etc/hostname.
That's when the site became inaccessible. Chrome hangs on establishing secure connection.
So I removed all my changes, restarted, and still inaccessible. Here is what ssl_error_log says:
Code: Select all
[Fri Feb 26 11:34:50.937758 2016] [ssl:warn] [pid 6196] AH01909: RSA certificate configured for ip-X-XX-X-XX.example.compute.internal:443 does NOT include an ID which matches the server name
Thank you.
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 2:12 pm
by rkennedy
What is the output from these commands? It seems like something still isn't lining up properly.
Code: Select all
hostname
openssl x509 -in yourcert.crt -noout -subject
Replace yourcert.crt with the full path to your certificate file that XI is using.
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 2:22 pm
by rkymtnhigh
it's the same now.
when I first started troubleshooting this issue it was different, so I made a new cert with the correct hostname copied from the hostname command.
Still having the same issue.
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 2:28 pm
by rkennedy
Did you update the apache configuration to use the new certificate? At this point I believe the new certificate you created was not exactly correct, or something is still referencing the old one.
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 3:49 pm
by rkymtnhigh
I updated ssl.conf to use the new keys, but I think you are right, something is still referencing the old one.
After updating to the new cert, the messages about RSA certs not including an ID that matches the server name seem to have stopped.
Still not accepting port 443!
At this point , I'm going thru this tutorial
https://assets.nagios.com/downloads/nag ... s%20XI.pdf
And just trying to build all the SSL elements from scratch. Still no luck!
A netstat -tulpn says both 80 and 443 are LISTENING, but i cannot telnet to either port. 22 works fine.
EDIT: Starting and Stopping iptables seems to have opened the connections up.
Now I am getting Forbidden :You don't have permission to access /nagiosxi on this server.
EDIT2:
Getting this in the httpd error_log:
Code: Select all
[Fri Feb 26 14:20:19.687940 2016] [authz_core:error] [pid 23380] [client XX.XX.XXX.XXX:58844] AH01630: client denied by server configuration: /usr/local/nagiosxi/html
[Fri Feb 26 14:20:23.608042 2016] [authz_core:error] [pid 23381] [client ::1:54348] AH01630: client denied by server configuration: /usr/local/nagiosxi/html/backend/
[Fri Feb 26 14:20:31.843146 2016] [authz_core:error] [pid 23378] [client XX.XX.XXX.XXX:58895] AH01630: client denied by server configuration: /usr/local/nagiosxi/html
[Fri Feb 26 14:20:43.763923 2016] [authz_core:error] [pid 23379] [client XX.XX.X.XX:36681] AH01630: client denied by server configuration: /usr/local/nagiosxi/html/backend/
[Fri Feb 26 14:20:43.851205 2016] [authz_core:error] [pid 23386] [client ::1:54351] AH01630: client denied by server configuration: /usr/local/nagiosxi/html/backend/
[Fri Feb 26 14:21:02.810781 2016] [authz_core:error] [pid 23381] [client ::1:54355] AH01630: client denied by server configuration: /usr/local/nagiosxi/html/backend/
Re: Cant access site (ssl) after hostname change
Posted: Fri Feb 26, 2016 4:43 pm
by rkymtnhigh
Iptables needed to be started and stopped for it to actually be stopped? wut
Then I had to put my original config back in the nagiosxi.conf file (I had overwritten it trying to troubleshoot and it broke some perms)
Thanks you guys!
Got it working.
Re: Cant access site (ssl) after hostname change
Posted: Mon Feb 29, 2016 10:02 am
by lmiltchev
It's nice to hear that! I will be locking this thread now. If you have any more issues/questions, please start a new one.