Page 1 of 2
Error: could not use certificate file 'nagios_server.pem'
Posted: Thu Nov 17, 2016 12:21 am
by ruffy01
EDIT: Please use code tags
Hi all
I've just duplicated our physical Centos 7/Nagios server on to a Hyper-v Gen 2 VM.
When I say duplicated, I mean it's a completely fresh installation: Centos 7, Nagios Core-4.1.1 with NRPE-3.0. NSClient++ is installed/configured on the monitored servers.
I then went on to secure NRPE with certificate authentication, everything went well BUT I'm encountering this error on the web interface for all checks:
Error: could not use certificate file '/usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem'.
I can run:
Code: Select all
[root@nagios]# /usr/local/nagios/libexec/check_nrpe -f /usr/local/nagios/etc/check_nrpe.config -H 192.168.0.x
I (0.4.4.19 2015-12-08) seem to be doing fine...
I copied a lot of .cfg files from the physical server and then generated the CA and necessary certificates on the VM.
As far as I can tell, everything is configured the same as the physical server (which works).
I tried generating new certificates which didn't help. I also ensured permissions on the certificates were the same as the physical server.
Can anyone point me in right direction?
Regards,
Andrew.
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 11:08 am
by avandemore
Custom checks aren't supported, but the first thing I notice is you're running the test as root while nagios would be running the check as nagios.
Test with:
Code: Select all
# su - nagios
$ /usr/local/nagios/libexec/check_nrpe -f /usr/local/nagios/etc/check_nrpe.config -H 192.168.0.x
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 4:40 pm
by ruffy01
Thanks for the reply avandemore.
OK, I tried:
Code: Select all
# su - nagios
$ /usr/local/nagios/libexec/check_nrpe -f /usr/local/nagios/etc/check_nrpe.config -H 192.168.0.x
Error: could not use CA certificate '/usr/local/nagios/etc/ssl/ca/ca_cert.pem
That would appear to imply a permissions error of some sort, so I changed the owner of the files to 'nagios' and the group to 'nagios' (and then 'nagcmd'), which didn't help.
I'm sorry, I'm missing something.
Regards,
Andrew
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 4:50 pm
by avandemore
What is the output from:
Code: Select all
# la -la /usr/local/nagios/etc/ssl/ca/ca_cert.pem
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:03 pm
by ruffy01
Umm,
The output from:
Code: Select all
# la -la /usr/local/nagios/etc/ssl/ca/ca_cert.pem
bash: la: command not found...
Unfortunately I can't copy/paste from the VM, so please excuse the slow reply.
Thanks avandemore.
Would regenerating the certificates while logged in as the user 'nagios' help?
Cheers,
Andrew
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:16 pm
by ruffy01
Is this what I should have run:
Code: Select all
# ls -la /usr/local/nagios/etc/ssl/ca/ca_cert.pem
-rw -rw -rw 1 nagios nagcmd 2094 Nov 16 15:06 /usr/local/nagios/etc/ssl/ca/ca_cert.pem
Cheers,
Andrew
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:29 pm
by avandemore
Yes good catch. Now try:
Code: Select all
# su - nagios
$ cat /usr/local/nagios/etc/ssl/ca/ca_cert.pem
We don't need to see the output, just trying to confirm reading of it. That output looks very weird.
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:32 pm
by ssax
In addition to avandemore's post, lease attach a sanitized copy of this file:
Code: Select all
/usr/local/nagios/etc/check_nrpe.config
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:50 pm
by ruffy01
Code: Select all
# su - nagios
$ cat /usr/local/nagios/etc/ssl/ca/ca_cert.pem
permission denied...
A copy of check_nrpe.config:
Code: Select all
-C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem
-K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key
-A /usr/local/nagios/etc/ssl/ca/ca_cert.pem
-2
Cheers,
Andrew
Re: Error: could not use certificate file 'nagios_server.pem
Posted: Thu Nov 17, 2016 5:56 pm
by ssax
Please post the output of these commands:
Code: Select all
sestatus
ls -ld /usr/local/nagios/etc/ssl/ca/
ls -ld /usr/local/nagios/etc/ssl/
Thank you