Page 1 of 2
Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 8:39 am
by hbouma
I am attempting to follow the instructions in
https://assets.nagios.com/downloads/nag ... ponent.pdf for Nagios XI, however, when I copy the certificate information from der format, and attempt to import it into Nagios, it tells me that "This certificate has already been added"
I know that the certificate is not yet present as none of the existing certs have the same end date, but there are several CA's already in Nagios as it communicates to various LDAP environments and products.
How can I force Nagios to import this new CA to trust if for the check_LDAP checks?
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 11:29 am
by gsmith
Hi,
Please don't use the der format - from
https://assets.nagios.com/downloads/nag ... ponent.pdf :
page 4:
Image6.jpg
page 6:
Image7.jpg
Please let us know how that works for you.
Thanks
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 12:13 pm
by hbouma
Sorry, it was Base-64, not DER.
It is readable in Notepad and starts and ends with the expected lines. However, Nagios XI will not accept the value.
I have done this from a command line in the past as Nagios was unhappy with these values before we upgraded the CA in these LDAP environments. However, I cannot find my documentation on what was done.
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 12:26 pm
by gsmith
Hey,
What OS is that Nagios XI server running on?
Thx
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 12:30 pm
by hbouma
This is running a VM of RHEL 7.9, 64bit.
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 2:35 pm
by gsmith
Hi,
Here's what I have from my notes, if something doesn't work
try one of the alternatives that is surrounded by single *, the items surrounded by *** are
extra information:
For when you want a client to trust a server's self-signed cert
on the client:
openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
note - in the above the server name (or IP address) is required in two places - look for the word server
type "quit", followed by the "ENTER" key
The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
*** If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata. ***
*** If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone with the
curl command line tool: --cacert [file] ***
to add to CA certificate store:
openssl x509 -outform der -in cacert.pem -out cacert.crt
sudo cp cacer.crt file to /etc/pki/ca-trust/source/anchors -- this location for CentOS machine
* sudo cp cacert.crt /usr/local/share/ca-certificates -- this location for Ubuntu 16 *
sudo update-ca-trust extract (Centos8)
* sudo update-ca-certificates (others distro versions) *
* sudo dpkg-reconfigure ca-certificates (Ubuntu 16) *
Let me know if that works for you
Thanks
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 2:45 pm
by hbouma
I added the certs using the method listed below.
It doesn't show them in the GUI, so I am not 100% sure if Nagios will trust them until we go live with the new CA on 7/29. I will let you know once we know.
Re: Unable to add new certificate CA into Nagios XI
Posted: Fri Jul 16, 2021 5:11 pm
by gsmith
Hi,
I was doing some research and I haven't seen a way to "pre-load" a server's
future cert on a client.
The one thought I had was you could fire up a test server and verify it trusts one of
the LDAP machines. Then change the date on the test server to 07/30 and see what happens.
I am betting you would need to import the "new" cert from the server.
Not sure you're aware because some people miss this but you are entitled to use your
license on 3 machines. Here's the info:
Nagios XI License Policy
With every purchase we offer 3 separate activation of XI licenses. One for production, one for testing, and one for high availability. We always recommend upgrading on a test server first before making changes to the production server.
Nagios License Entitlements
https://support.nagios.com/kb/article.php?id=145
If it was me I would like to know before 29 July
Thanks
Re: Unable to add new certificate CA into Nagios XI
Posted: Mon Jul 19, 2021 7:10 am
by hbouma
Thank you. We do have a TST server setup and in use.
However, we cannot perform the import of the new CA until maintenance on the 29th, there is no LDAP server using the new CA at this time for testing.
Re: Unable to add new certificate CA into Nagios XI
Posted: Mon Jul 19, 2021 9:22 am
by gsmith
OK. I will leave this open until I hear back from you in the future.
Thanks