Nagios Support Forum

After upgrading one of our Nagios servers to from version 5.6.2. to version 5.6.8, I get an HTTP 500 Error when attempting to go to https://nagioshost/nagiosxi/.

The /var/log/httpd/ssl_error_log indicates a permissions issue.

[Wed Oct 06 07:56:05.050077 2021] [:error] [pid 34003] [client 172.20.207.3:65281] PHP Warning: file_get_contents(/usr/local/nagiosxi/var/keys/xi.key): failed to open stream: Permission denied in /usr/local/nagiosxi/html/includes/utilsl-helpers.inc.php on line 0, referer: https://nagioshost/
[Wed Oct 06 07:56:05.050123 2021] [:error] [pid 34003] [client 172.20.207.3:65281] PHP Fatal error: Decryption error: Key file at was empty or unable to be read by apache. in /usr/local/nagiosxi/html/includes/utilsl-helpers.inc.php on line 0, referer: https://nagioshost/

chmoding /usr/local/nagiosxi/var/keys/xi.key from 640 to 644 allows the page to load.

Thanks in advance for your help.

Mine is working with 640 on /usr/local/nagiosxi/var/keys/xi.key so I'm wondering what's different on yours.

What is the output of these commands on the XI server as root?

ls -l /usr/local/nagiosxi/var/keys/xi.key # to see the owner/group
-rw-r--r-- 1 nagios nagios 33 Aug 21 2019 /usr/local/nagiosxi/var/keys/xi.key

uname -a
Linux nagioshost 3.10.0-1160.31.1.el7.x86_64 #1 SMP Tue Jun 8 17:33:18 PDT 2021 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/*release
Oracle Linux Server release 7.9
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9
Red Hat Enterprise Linux Server release 7.9 (Maipo)
Oracle Linux Server release 7.9

grep nag /etc/group
nagios1000:nagios,apache,snmptt
nagcmd20187:nagios,apache,snmptt

umask
0022

su - nagios
umask
0002

That all looks proper.

Are you running apache as a different user/group?
Is your Oracle Linux server AD or LDAP integrated? Meaning when you login through SSH you're using AD or LDAP credentials?

What is the output of these commands?

grep "User \|Group " /etc/httpd/conf/httpd.conf
User apache
Group apache

Authentication utilizes LDAP.

getent group nagios
nagios1000:nagios,apache,snmptt
getent group nagcmd
nagcmd20187:nagios,apache,snmptt
getent group apache
apache48:

The only thing that I can think is that it has something to do with LDAP because the permissions of 640, nagios user, nagios group permissions on the file (the defaults) should work because the apache user (which apache is running as) is a part of the nagios group:
Which the 4 in 640 provides read permissions to the nagios group so it should able to read it.

Working with our systems team, we were able to find the problem. We have a local nagios user and a nagios user in NIS. By running ls -ln /usr/local/nagiosxi/var/keys/xi.key instead of ls -l /usr/local/nagiosxi/var/keys/xi.key, we found that the gid was not set to the NIS group. Updating the permissions to use the local gid resolved the issue.

Awesome, thanks for posting the resolution! Let us know when we're okay to lock this up and mark it as resolved.

You can mark this as resolved.

Thanks...John