Nagios Support Forum

Hello, I am running v5.5.8 64-bit / VM / Cent OS 7

This is my Nagios XI test server.

I requested certificates from a trusted source, and received three, described as:

as X509 Certificate only, Base64 encoded
as X509 Intermediates/root only, Base64 encoded
as X509 Intermediates/root only Reverse, Base64 encoded

The first one works, but some web site checks have a problem with it, for example:

[ead@xxx ~]$ ./check_ssl_cert -H xxx.doit.wisc.edu --critical 7 --warning 30 --timeout 5 --ignore-sig-alg
SSL_CERT CRITICAL xxx.doit.wisc.edu: Cannot verify certificate: unable to get local issuer certificate, unable to verify the first certificate|days=728;30;7;;
[ead@xxx ~]$

While this plugin is OK with it:

[ead@xxx ~]$ ./check_ssl_cert_expiry -H xxx.doit.wisc.edu -w 5 -c 6
OK: 728 days are left for SSL Certificate Expiration on Host xxx.doit.wisc.edu
[ead@xxx ~]$

Installation of the second and third certificates, with intermediates, seems to have a problem:

[ead@xxx ~]$ sudo /usr/sbin/apachectl restart
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Are there additional instructions for installing a certificate with intermediates?

Earl

The two certs that are not working don't contain the server cert(Intermediates/root) so the fact that they fail isn't surprising. You should only need to use the server cert(Certificate only).

The differences between the plugins is that the one that doesn't appear to work uses openssl's -verify option while the other one doesn't. The failing one is unable to verify the certificates used to sign the cert because they're not installed on the system. You can try adding them to the end of /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt or using check_ssl_cert's -r option to specify a location to find the intermediate and root certs. From https://github.com/matteocorti/check_ss ... k_ssl_cert:

echo " -r,--rootcert path root certificate or directory to be used for"
echo " certificate validation"
echo " --rootcert-dir path root directory to be used for certificate validation"
echo " --rootcert-file path root certificate to be used for certificate validation"

Hello,

Please lock the case.

Earl

Will do!