Nagios Support Forum

We are getting a Peer's Certificate issuer is not recognized. when we run the following CURL command for API access.

[root@nagios ~]# curl -XGET "https://nagios.acentek.net/nagiosxi/api ... =localhost"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

If we run the URL from the Curl command in our browser we get localhost info back. And if we run the CURL command with -k at the end we get localhost info as expected. We don't know why we are having Certificate verification errors.

Hi @acentek,

The way around this without using the -k or --insecure option would be to add the Nagios XI server as a trusted certificate to this sever. Take a look at the following solution to get the certificate and copy the crt file to /etc/pki/ca-trust/source/anchors (Cent/RHEL) on this server.

curl (60) peer’s certificate issuer is not recognized

Red Hat Documentation
4.14. USING SHARED SYSTEM CERTIFICATES

Let me know if that resolves the error for you.

Benjamin

So today we've been working with OpsGenie recently on this. They asked that i swing this by you.

I think this bit of the logs should provide most of what they're looking for - this shows the full request and request payload, and the success response from Nagios indicating that it *should* be executing the action (and that particular action - cmd_typ= 33).

**** LOG DATA ****

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.opsgenie.com:443
DEBUG:urllib3.connectionpool:https://api.opsgenie.com:443 "GET /v2/alerts/4204f161-4fd1-4ca8-8d69-154671fe51a9-1597673884237 HTTP/1.1" 200 None
DEBUG:root:[Acknowledge]:Posting to Nagios. Url https://localhost/nagios/cgi-bin/cmd.cgi params:{'btnSubmit': 'Commit', 'cmd_mod': '2', 'send_notification': 'off', 'host': 'mautic', 'com_author': 'opsgenie', 'com_data': 'Acknowledged by [email protected] via Opsgenie', 'sticky_ack': 'on', 'cmd_typ': '33'}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:443
DEBUG:urllib3.connectionpool:https://localhost:443 "POST /nagios/cgi-bin/cmd.cgi HTTP/1.1" 200 None
INFO:root:[Acknowledge]: Successfully executed at Nagios.
DEBUG:root:[Acknowledge]: Nagios response: b'<html>\n<head>\n<link rel="shortcut icon" href="/nagios/images/favicon.ico" type="image/ico">\n<title>\nExternal Command Interface\n</title>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/common.css\'>\n<LINK REL=\'stylesheet\' TYPE=\'text/css\' HREF=\'/nagios/stylesheets/cmd.css\'>\n</head>\n<body CLASS=\'cmd\'>\n\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n<table border=0 width=100%>\n<tr>\n<td align=left valign=top width=33%>\n<TABLE CLASS=\'infoBox\' BORDER=1 CELLSPACING=0 CELLPADDING=0>\n<TR><TD CLASS=\'infoBox\'>\n<DIV CLASS=\'infoBoxTitle\'>External Command Interface</DIV>\nLast Updated: Mon Aug 17 13:26:17 CDT 2020<BR>\nNagios® Core™ 4.2.4 - <A HREF=\'https://www.nagios.org\' TARGET=\'_new\' CLASS=\'homepageURL\'>www.nagios.org</A><BR>\nLogged in as <i>nagiosadmin</i><BR>\n</TD></TR>\n</TABLE>\n</td>\n<td align=center valign=top width=33%>\n</td>\n<td align=right valign=bottom width=33%>\n</td>\n</tr>\n</table>\n<P><DIV CLASS=\'infoMessage\'>Your command request was successfully submitted to Nagios for processing.<BR><BR>\nNote: It may take a while before the command is actually processed.<BR><BR>\n<A HREF=\'javascript:window.history.go(-2)\'>Done</A></DIV></P>\n<!-- Produced by Nagios (https://www.nagios.org). Copyright (c) 1999-2007 Ethan Galstad. -->\n</body>\n</html>\n' response code: 200


**** LOG DATA ****

From there, they should be able to troubleshoot at what point within Nagios that command is actually failing, I would think.

So my question is how do you verify that API request worked because we are not seeing the alarm's get ACKed but with the above you see it attempted to send the ACK to nagios.

Now its more of External Command calls from OpsGenie but why is it failing? Is there a number I can call to actually get support to look at this?

Hi @acentek,

Since there are not obvious errors in the output you posted, let's turn on external command logging and then try to run those commands through Opsgenie and we'll see if we can determine the source of the issue.

Edit the main nagios configuration file at /usr/local/nagios/etc/nagios.cfg and turn on the following option: Save and restart nagios and see what is logged in the nagios.log files when the next command comes in.

Also, check the Audit Log to see if the command came in and are there any issues executing Acknowledgements vis the XI web interface?

Lastly, a system profile would be helpful to check the package versions and logs for additional information. Thanks, Benjamin

To send us your system profile.
Login to the Nagios XI GUI using a web browser.
Click the "Admin" > "System Profile" Menu
Click the "Download Profile" button
Save the profile.zip file and share in a private message or upload it to the post/ticket, and then reply to this post to bring it up in the queue.

Edited the config

Restarted nagios

Created a service alert.

[1597798025] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;2;inactive
[1597798078] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;3;inactive
[1597798080] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798082] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;SOFT;4;inactive
[1597798085] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;mautic;Apache Web Server;1597798077
[1597798087] SERVICE ALERT: mautic;Apache Web Server;CRITICAL;HARD;5;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact_2;inactive
[1597798087] SERVICE NOTIFICATION: opsgenie_for_IT_Team;mautic;Apache Web Server;CRITICAL;notify-service-by-opsgenie_Contact;inactive

Acked in OpsGenie

[1597798109] EXTERNAL COMMAND: ACKNOWLEDGE_HOST_PROBLEM;mautic;2;1;0;Nagios Administrator;Acknowledged by [email protected] via Opsgenie

No Audit log during this timeframe

Sent you profile.zip in PM.

Hi @acentek,

Thanks for the profile. I see you have opened a ticket for this issue as well, let's continue to troubleshoot this issue via the ticket. I've attached the system profile to that ticket as well.