Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NagiosXI Certificate Expired

https://support.nagios.com/forum/viewtopic.php?t=53730

Page 1 of 1

NagiosXI Certificate Expired

Posted: Fri May 03, 2019 2:59 pm
by Sampath.Basireddy
NagiosXI certificate expired.

I found this document for "How to configure SSL/TLS" - https://assets.nagios.com/downloads/nag ... s%20XI.pdf

Since the certificate is expired, do I need to follow the complete steps in the document or there any other instructions in case of expiry?

Thank You,
Sampath

Re: NagiosXI Certificate Expired

Posted: Fri May 03, 2019 3:06 pm
by cdienger
If you still have the old csr available you should be able to get away with just getting is signed again(you can increase the expiration time too). If it's a self signed cert this should do the trick:

openssl x509 -req -days 365 -in nagiosxi.csr -signkey nagiosxi.key -out nagiosxi.crt

Once you have the updated cert, just replace the current one a /usr/local/nagiosxi/var/certs/nagiosxi.crt

Re: NagiosXI Certificate Expired

Posted: Fri May 03, 2019 3:22 pm
by Sampath.Basireddy
It is not a self-signed certificate.

Am checking in "/usr/local/nagiosxi/var/certs/" and the folder is empty.

So I checked the file "/etc/httpd/conf.d/ssl.conf" and found below details about Server Certificate & Server Private Key:

Code: Select all

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/ca.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Does this mean Nagios is using certificate "/etc/pki/tls/certs/ca.crt"

Re: NagiosXI Certificate Expired

Posted: Fri May 03, 2019 4:02 pm
by ssax
You will need at least the new certificate and key, if the certificate is issued from a different CA, you will need to make sure that you use that new CA's certificate in your apache configs as well.

SSLCertificateFile /usr/local/nagiosxi/var/certs/nagiosxi.crt <- This is the new cert without the private key
SSLCertificateKeyFile /usr/local/nagiosxi/var/certs/nagiosxi.key <- This is the new cert's private key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt <- Put your entire CA chain in here one on top of the other like this:

Example, ROOT CA with subordinate issuing CA:

Code: Select all

-----BEGIN CERTIFICATE-----
Root CA cert here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Subordinate CA cert here
-----END CERTIFICATE-----

Re: NagiosXI Certificate Expired

Posted: Wed May 08, 2019 5:21 pm
by Sampath.Basireddy
Thanks @ssax. All is good now.

Please close the topic.

Re: NagiosXI Certificate Expired

Posted: Thu May 09, 2019 7:42 am
by scottwilkerson
Sampath.Basireddy wrote:Thanks @ssax. All is good now.

Please close the topic.
Great!

Locking thread
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited