Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Nagios web interface not showing after SSL cert installed

https://support.nagios.com/forum/viewtopic.php?t=47250

Page 1 of 2

Nagios web interface not showing after SSL cert installed

Posted: Thu Jan 25, 2018 2:03 am
by shamrozkadiwal
So I installed Nagios core 4.1.1 and it was working fine until I installed the SSL cert. Everything seems working fine and I got the "SECURE" word with padlock sign in front of my website after cert got installed. When I try to open nagios url, it even ask me for user/pass. Once I enter the credentails, I don't get the web interface except just white screen.

when i curl to my html page
curl -v https://10.10.10.10 --> I get http 200
curl -v -u nagioadmin:password https://10.10.10.10/nagios --> I got http 301

Code: Select all

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://10.10.10.10/nagios/">here</a>.</p>
</body></html>

ssl_error_log

Code: Select all

[Thu Jan 25 04:22:07.658402 2018] [ssl:warn] [pid 32063] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 04:22:07.696284 2018] [ssl:warn] [pid 32063] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 04:55:23.770667 2018] [ssl:warn] [pid 32524] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 04:55:23.810044 2018] [ssl:warn] [pid 32524] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 04:57:56.076135 2018] [ssl:warn] [pid 32592] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 04:57:56.113848 2018] [ssl:warn] [pid 32592] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:22:43.474198 2018] [ssl:warn] [pid 451] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:22:43.514957 2018] [ssl:warn] [pid 451] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:35:47.355865 2018] [ssl:warn] [pid 621] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:35:47.392811 2018] [ssl:warn] [pid 621] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:42:32.014292 2018] [ssl:warn] [pid 689] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:42:32.051316 2018] [ssl:warn] [pid 689] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:55:15.530718 2018] [ssl:warn] [pid 818] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:55:15.568080 2018] [ssl:warn] [pid 818] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 05:55:26.278077 2018] [authz_core:error] [pid 823] [client 70.113.16.114:65317] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 05:55:33.864310 2018] [authz_core:error] [pid 820] [client 70.113.16.114:65320] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 05:59:06.922378 2018] [authz_core:error] [pid 872] [client 70.113.16.114:49257] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 06:06:44.644208 2018] [authz_core:error] [pid 821] [client 70.113.16.114:49781] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 06:06:47.570040 2018] [authz_core:error] [pid 821] [client 70.113.16.114:49781] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 06:06:51.335476 2018] [authz_core:error] [pid 821] [client 70.113.16.114:49781] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 06:08:18.557294 2018] [authz_core:error] [pid 819] [client 70.113.16.114:49795] AH01630: client denied by server configuration: /usr/local/nagios/share/
[Thu Jan 25 06:08:36.650535 2018] [ssl:warn] [pid 1010] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 06:08:36.687393 2018] [ssl:warn] [pid 1010] AH01909: RSA certificate configured for ::1:443 does NOT include an ID which matches the server name
[Thu Jan 25 06:29:08.931076 2018] [ssl:warn] [pid 1148] AH01909: RSA certificate configured for DJ-MON:443 does NOT include an ID which matches the server name
[Thu Jan 25 06:29:08.968540 2018] [ssl:warn] [pid 1148] AH01909: RSA certificate configured for DJ-MON:443 does NOT include an ID which matches the server name
[Thu Jan 25 06:41:41.905200 2018] [ssl:warn] [pid 1227] AH01909: RSA certificate configured for DJ-MON:443 does NOT include an ID which matches the server name
[Thu Jan 25 06:41:41.940973 2018] [ssl:warn] [pid 1227] AH01909: RSA certificate configured for DJ-MON:443 does NOT include an ID which matches the server name
error_log

Code: Select all

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[Thu Jan 25 05:55:15.566132 2018] [auth_digest:notice] [pid 818] AH01757: generating secret for digest authentication ...
[Thu Jan 25 05:55:15.566990 2018] [lbmethod_heartbeat:notice] [pid 818] AH02282: No slotmem from mod_heartmonitor
[Thu Jan 25 05:55:15.582600 2018] [mpm_prefork:notice] [pid 818] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Thu Jan 25 05:55:15.582663 2018] [core:notice] [pid 818] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Jan 25 06:08:35.564650 2018] [mpm_prefork:notice] [pid 818] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Jan 25 06:08:36.648460 2018] [core:notice] [pid 1010] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Jan 25 06:08:36.649595 2018] [suexec:notice] [pid 1010] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[Thu Jan 25 06:08:36.685179 2018] [auth_digest:notice] [pid 1010] AH01757: generating secret for digest authentication ...
[Thu Jan 25 06:08:36.686381 2018] [lbmethod_heartbeat:notice] [pid 1010] AH02282: No slotmem from mod_heartmonitor
[Thu Jan 25 06:08:36.710138 2018] [mpm_prefork:notice] [pid 1010] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Thu Jan 25 06:08:36.710189 2018] [core:notice] [pid 1010] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Jan 25 06:29:07.838819 2018] [mpm_prefork:notice] [pid 1010] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Jan 25 06:29:08.928489 2018] [core:notice] [pid 1148] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Jan 25 06:29:08.929879 2018] [suexec:notice] [pid 1148] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 25 06:29:08.966263 2018] [auth_digest:notice] [pid 1148] AH01757: generating secret for digest authentication ...
[Thu Jan 25 06:29:08.967487 2018] [lbmethod_heartbeat:notice] [pid 1148] AH02282: No slotmem from mod_heartmonitor
[Thu Jan 25 06:29:08.983271 2018] [mpm_prefork:notice] [pid 1148] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Thu Jan 25 06:29:08.983332 2018] [core:notice] [pid 1148] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Jan 25 06:41:40.821566 2018] [mpm_prefork:notice] [pid 1148] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Jan 25 06:41:41.902945 2018] [core:notice] [pid 1227] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Jan 25 06:41:41.904215 2018] [suexec:notice] [pid 1227] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 25 06:41:41.938915 2018] [auth_digest:notice] [pid 1227] AH01757: generating secret for digest authentication ...
[Thu Jan 25 06:41:41.939926 2018] [lbmethod_heartbeat:notice] [pid 1227] AH02282: No slotmem from mod_heartmonitor
[Thu Jan 25 06:41:41.967806 2018] [mpm_prefork:notice] [pid 1227] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Thu Jan 25 06:41:41.967863 2018] [core:notice] [pid 1227] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 10:30 am
by mcapra
This looks like an improperly configured/provisioned SSL certificate. Not really a Nagios Core related issue.

That said, have a look at this StackOverflow article regarding properly setting a server's name:
https://askubuntu.com/questions/256013/ ... d-domain-n

Assuming your certificate has a CN, whatever the CN is on your certificate should match your Apache config's ServerName directive.

If none of that solves the issue, we'd need to see the relevant Apache configurations to offer additional advice.

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 11:13 am
by shamrozkadiwal
mcapra wrote:This looks like an improperly configured/provisioned SSL certificate. Not really a Nagios Core related issue.

That said, have a look at this StackOverflow article regarding properly setting a server's name:
https://askubuntu.com/questions/256013/ ... d-domain-n

Assuming your certificate has a CN, whatever the CN is on your certificate should match your Apache config's ServerName directive.

If none of that solves the issue, we'd need to see the relevant Apache configurations to offer additional advice.
I am still not able to get the nagios web page. I made sure the cert CN name match with ServerName in the httpd.conf. I have attached conf and conf.d file along with logs

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 1:45 pm
by mcapra
It looks as if you might have used the Nagios XI docs when setting this up?

Code: Select all

#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
#</IfModule>
It's worth mentioning that official docs for configuring HTTPS for Nagios Core also exist:
https://support.nagios.com/kb/article/n ... s-595.html

Looking back at your original post after reviewing the configs, I was wrong. A 301 is an expected response on the /nagios path regardless of SSL configuration:

Code: Select all

root@capra_nag conf.d]# curl -v -u nagiosadmin:welcome http://10.35.7.34/nagios
* About to connect() to 10.35.7.34 port 80 (#0)
*   Trying 10.35.7.34...
* Connected to 10.35.7.34 (10.35.7.34) port 80 (#0)
* Server auth using Basic with user 'nagiosadmin'
> GET /nagios HTTP/1.1
> Authorization: Basic bmFnaW9zYWRtaW46aHVudGVyMg==
> User-Agent: curl/7.29.0
> Host: 10.35.7.34
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 25 Jan 2018 18:40:48 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< Location: http://10.35.7.34/nagios/
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.35.7.34/nagios/">here</a>.</p>
</body></html>
* Connection #0 to host 10.35.7.34 left intact
Most web browsers will 301 redirect /nagios to /nagios/ in this case. curl will not unless you pass in the -L parameter:

Code: Select all

[root@capra_nag conf.d]# curl -L -v -u nagiosadmin:hunter2 http://10.35.7.34/nagios
* About to connect() to 10.35.7.34 port 80 (#0)
*   Trying 10.35.7.34...
* Connected to 10.35.7.34 (10.35.7.34) port 80 (#0)
* Server auth using Basic with user 'nagiosadmin'
> GET /nagios HTTP/1.1
> Authorization: Basic bmFnaW9zYWRtaW46aHVudGVyMg==
> User-Agent: curl/7.29.0
> Host: 10.35.7.34
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 25 Jan 2018 18:41:54 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< Location: http://10.35.7.34/nagios/
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host 10.35.7.34 left intact
* Issue another request to this URL: 'http://10.35.7.34/nagios/'
* Found bundle for host 10.35.7.34: 0x132df60
* Re-using existing connection! (#0) with host 10.35.7.34
* Connected to 10.35.7.34 (10.35.7.34) port 80 (#0)
* Server auth using Basic with user 'nagiosadmin'
> GET /nagios/ HTTP/1.1
> Authorization: Basic bmFnaW9zYWRtaW46aHVudGVyMg==
> User-Agent: curl/7.29.0
> Host: 10.35.7.34
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 25 Jan 2018 18:41:54 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< X-Powered-By: PHP/5.4.16
< Content-Length: 1079
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">

<html>
<head>
        <meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
<script LANGUAGE="javascript">
        var n = Math.round(Math.random() * 10000000000);
        document.write("<title>Nagios Core on " + window.location.hostname + "</title>");
        document.cookie = "NagFormId=" + n.toString(16);
</script>
        <link rel="shortcut icon" href="images/favicon.ico" type="image/ico">
</head>

<frameset cols="180,*" style="border: 0px;">
        <frame src="side.php" name="side" frameborder="0" style="">
        <frame src="main.php" name="main" frameborder="0" style="">

        <noframes>
                <!-- This page requires a web browser which supports frames. -->
                <h2>Nagios Core</h2>
                <p align="center">
                        <a href="https://www.nagios.org/">www.nagios.org</a><br>
                        Copyright © 2010-2017 Nagios Core Development Team and Community Contributors.
                        Copyright © 1999-2010 Ethan Galstad<br>
                </p>
                <p>
                        <i>Note: These pages require a browser which supports frames</i>
                </p>
        </noframes>
</frameset>

</html>
* Connection #0 to host 10.35.7.34 left intact
Try running your curl with -L.

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 3:20 pm
by dwhitfield
Thanks @mcapra!

OP, let us know if you have any other questions!

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 3:39 pm
by shamrozkadiwal
@mcapra
Initially I tried official doc for configuring HTTPS for Nagios Core, but it didn't work out. Then I tried Nagios XI whcih also didn't work out. I have attached a picture of what I am seeing/getting when try to open the nagios web.

I have put the output of curl -L -v

Code: Select all

[root@dj-mon ~]# curl -L -v -u nagiosadmin:nagiosadm https://monitor.theismailiusa.org/nagios
* About to connect() to monitor.theismailiusa.org port 443 (#0)
*   Trying ::1...
* Connected to monitor.theismailiusa.org (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=monitor.theismailiusa.org
*       start date: Jan 24 21:28:45 2018 GMT
*       expire date: Apr 24 21:28:45 2018 GMT
*       common name: monitor.theismailiusa.org
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* Server auth using Basic with user 'nagiosadmin'
> GET /nagios HTTP/1.1
> Authorization: Basic bmFnaW9zYWRtaW46bmFnaW9zYWRt
> User-Agent: curl/7.29.0
> Host: monitor.theismailiusa.org
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 25 Jan 2018 20:28:45 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Location: https://monitor.theismailiusa.org/nagios/
< Content-Length: 249
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host monitor.theismailiusa.org left intact
* Issue another request to this URL: 'https://monitor.theismailiusa.org/nagios/'
* Found bundle for host monitor.theismailiusa.org: 0x1b74fc0
* Re-using existing connection! (#0) with host monitor.theismailiusa.org
* Connected to monitor.theismailiusa.org (::1) port 443 (#0)
* Server auth using Basic with user 'nagiosadmin'
> GET /nagios/ HTTP/1.1
> Authorization: Basic bmFnaW9zYWRtaW46bmFnaW9zYWRt
> User-Agent: curl/7.29.0
> Host: monitor.theismailiusa.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 25 Jan 2018 20:28:45 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-Powered-By: PHP/5.4.16
< Content-Length: 901
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">

<html>
<head>
        <meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
        <title>Nagios Core</title>
        <link rel="shortcut icon" href="images/favicon.ico" type="image/ico">
</head>

<frameset cols="180,*" style="border: 0px; framespacing: 0px">
        <frame src="side.php" name="side" frameborder="0" style="">
        <frame src="main.php" name="main" frameborder="0" style="">

        <noframes>
                <!-- This page requires a web browser which supports frames. -->
                <h2>Nagios Core</h2>
                <p align="center">
                        <a href="https://www.nagios.org/">www.nagios.org</a><br>
                        Copyright © 2010-2015 Nagios Core Development Team and Community Contributors.
                        Copyright © 1999-2010 Ethan Galstad<br>
                </p>
                <p>
                        <i>Note: These pages require a browser which supports frames</i>
                </p>
        </noframes>
</frameset>

</html>
* Connection #0 to host monitor.theismailiusa.org left intact

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 4:48 pm
by dwhitfield
What happens if you go to http://monitor.theismailiusa.org/nagios ... ustypes=28 directly? You're getting the HTML in curl. I mean, no frames obviously, but that's not shocking.

Re: Nagios web interface not showing after SSL cert installe

Posted: Thu Jan 25, 2018 8:15 pm
by shamrozkadiwal
I am able to open the url that you post in the last messages but still not able to open https://www.example.com/nagios.
check my attachment, I tried to break the web link that you sent me to see from where I start getting the nagios page

Re: Nagios web interface not showing after SSL cert installe

Posted: Fri Jan 26, 2018 12:10 am
by tacolover101
i don't know what the effect is, but you're missing a JS function which sets a cookie from what i can tell:

here is what i noticed in my Core instance:

Code: Select all

	var n = Math.round(Math.random() * 10000000000);
	document.write("<title>Nagios Core on " + window.location.hostname + "</title>");
	document.cookie = "NagFormId=" + n.toString(16);
perhaps this effects the PHP internal to the frames?

Re: Nagios web interface not showing after SSL cert installe

Posted: Fri Jan 26, 2018 10:19 am
by dwhitfield
tacolover101 wrote: you're missing a JS function which sets a cookie from what i can tell
I thought this myself, but in 4.1.1 this js isn't present...or at least not following our PDF quickstart install guide for 4.1.1

Have you restarted your browser since this issue started? It could just be a caching issue.

This is what my 4.1.1 gives and is at the very least displaying properly.

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">

<html>
<head>
	<meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
	<title>Nagios Core</title>
	<link rel="shortcut icon" href="images/favicon.ico" type="image/ico">
</head>

<frameset cols="180,*" style="border: 0px; framespacing: 0px">
	<frame src="side.php" name="side" frameborder="0" style="">
	<frame src="main.php" name="main" frameborder="0" style="">

	<noframes>
		<!-- This page requires a web browser which supports frames. -->
		<h2>Nagios Core</h2>
		<p align="center">
			<a href="https://www.nagios.org/">www.nagios.org</a><br>
			Copyright © 2010-2015 Nagios Core Development Team and Community Contributors.
			Copyright © 1999-2010 Ethan Galstad<br>
		</p>
		<p>
			<i>Note: These pages require a browser which supports frames</i>
		</p>
	</noframes>
</frameset>

</html>
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited