Home » Categories » Products » Nagios Core » Documentation » System Configuration

Nagios Core - Configuring SSL/TLS

Configuring SSL/TLS For Nagios Core

This KB article describes how to configure your Nagios Core server to use certificates for SSL/TLS. This KB article is also to be used an initial point for troubleshooting SSL/TLS connections.

This guide is broken up into several sections and covers different operating system (OS) distributions. If your OS Distribution is not included in this guide then please contact us to see if we can get it added. Some distributions may be missing as we don't have access to a test environment that allows us to develop the documentation.

Nagios Core 4.3.2 is the version used when creating this KB article.

Note: This guide is based on Nagios Core being installed using the following KB article:

Documentation - Installing Nagios Core From Source

 

Terminology

For your information:

  • SSL  = Secure Sockets Layer

  • TLS = Transport Layer Security

TLS replaces SSL, however the tools used to implement both generally use SSL in their name/directives. For simplicity reasons, the rest of this KB article will use the term SSL.

To implement SSL you need to generate a certificate. When you generate a certificate, you create a request that needs to be signed by a Certificate Authority (CA). This CA can be:

  • A trusted company like VeriSign

  • An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA

  • The Nagios Core server itself (self signed)

The CA will then provide you with a signed certificate.

This documentation can used to generate a request that can be submitted to any of these CA types.

 

Editing Files

In many steps of this article you will be required to edit files. This documentation will use the vi text editor. When using the vi
editor:

  • To make changes press i on the keyboard first to enter insert mode

  • Press Esc to exit insert mode

  • When you have finished, save the changes in vi by typing :wq and press Enter


 

Please select your OS:

 

 

 

CentOS | RHEL | Oracle Linux

Prerequisites

Perform these steps to install the pre-requisite packages.

yum install -y mod_ssl openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-013.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:NSW
Locality Name (eg, city) [Default City]:Sydney
Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:core-013.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/pki/tls/certs/
cp keyfile.key /etc/pki/tls/private/
chmod go-rwx /etc/pki/tls/certs/certfile.crt
chmod go-rwx /etc/pki/tls/private/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command:

vi /etc/httpd/conf.d/ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/pki/tls/certs/certfile.crt
SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command:

vi /etc/httpd/conf/httpd.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

===== CentOS 5.x / 6.x | RHEL 5.x / 6.x | Oracle Linux 5.x / 6.x =====

service httpd restart

 

===== CentOS 7.x | RHEL 7.x | Oracle Linux 7.x =====

systemctl restart httpd.service

 

Firewall Rules

You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface.

===== CentOS 5.x / 6.x | RHEL 5.x / 6.x | Oracle Linux 5.x / 6.x =====

iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT
service iptables save
ip6tables -I INPUT -p tcp --destination-port 443 -j ACCEPT
service ip6tables save

 

===== CentOS 7.x | RHEL 7.x | Oracle Linux 7.x =====

firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp --permanent

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then restart the httpd service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

 

 

Ubuntu

Prerequisites

Perform these steps to install the pre-requisite packages.

sudo apt-get update
sudo apt-get install -y openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-047.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-047.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

sudo cp certfile.crt /etc/ssl/certs/
sudo cp keyfile.key /etc/ssl/private/
sudo chmod go-rwx /etc/ssl/certs/certfile.crt
sudo chmod go-rwx /etc/ssl/private/keyfile.key

 

Update Apache Configuration

Enable the mod_ssl module in Apache by executing the following command:

sudo a2enmod ssl
sudo a2enmod rewrite

 

Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command:

===== Ubuntu 13.x =====

sudo vi /etc/apache2/sites-available/default-ssl

 

===== Ubuntu 14.x / 15.x / 16.x / 17.x =====

sudo vi /etc/apache2/sites-available/default-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile    /etc/ssl/certs/certfile.crt
SSLCertificateKeyFile /etc/ssl/private/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the following file in vi by executing the following command:

===== Ubuntu 13.x =====

sudo vi /etc/apache2/sites-available/default

 

===== Ubuntu 14.x / 15.x / 16.x / 17.x =====

sudo vi /etc/apache2/sites-available/000-default.conf

 

Navigate to the end of the file (press SHIFT + G), and before </VirtualHost> add the following::

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Now you have to enable this configuration in Apache by executing the following command:

===== Ubuntu 13.x =====

sudo a2ensite default-ssl

 

===== Ubuntu 14.x / 15.x / 16.x / 17.x =====

sudo a2ensite default-ssl.conf

 

Reload Apache Web Server

You need to reload Apache for the new certificate key to be used.

===== Ubuntu 13.x / 14.x =====

sudo service apache2 reload

 

===== Ubuntu 15.x / 16.x / 17.x =====

sudo systemctl reload apache2.service

 

Firewall Rules

You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface.

sudo ufw allow https
sudo ufw reload

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then reload the apache2 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 

 

SUSE SLES | openSUSE Leap

Prerequisites

Perform these steps to install the pre-requisite packages.

sudo zypper --non-interactive install openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-045.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-045.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

sudo cp certfile.crt /etc/apache2/ssl.crt/
sudo cp keyfile.key /etc/apache2/ssl.key/
sudo chmod go-rwx /etc/apache2/ssl.crt/certfile.crt
sudo chmod go-rwx /etc/apache2/ssl.key/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. There is a template vhost-ssl.template file that will be copied and then modified. Execute the following commands:

sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
sudo vi /etc/apache2/vhosts.d/vhost-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/apache2/ssl.crt/certfile.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/apache2/default-server.conf file in vi by executing the following command:

sudo vi /etc/apache2/default-server.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Now you have to enable SSL in Apache by executing the following commands:

sudo /usr/sbin/a2enmod rewrite
sudo /usr/sbin/a2enmod ssl
sudo /usr/sbin/a2enflag SSL

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

===== SUSE SLES 11.x =====

sudo /sbin/service apache2 restart

 

===== SUSE SLES 12.x | openSUSE =====

sudo systemctl restart apache2.service

 

Firewall Rules

You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface.

===== SUSE SLES 11.x =====

Port 443 is enabled when Apache is configure, nothing needs to be done.

 

===== SUSE SLES 12.x =====

sudo /usr/sbin/SuSEfirewall2 open EXT TCP 443
sudo systemctl restart SuSEfirewall2.service

 

===== openSUSE =====

Port 443 is enabled when Apache is configure, nothing needs to be done.

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then reload the apache2 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 
 

Debian | Raspbian

 All steps on Debian require to run as root. To become root simply run:

Debian:

su

 

Raspbian:

sudo -i

 

All commands from this point onwards will be as root.

 

Prerequisites

Perform these steps to install the pre-requisite packages.

apt-get update
apt-get install -y openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-033.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-033.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/ssl/certs/
cp keyfile.key /etc/ssl/private/
chmod go-rwx /etc/ssl/certs/certfile.crt
chmod go-rwx /etc/ssl/private/keyfile.key

 

Update Apache Configuration

Enable the mod_ssl module in Apache by executing the following command:

sudo a2enmod ssl
sudo a2enmod rewrite

 

Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command:

===== Debian 7.x =====

vi /etc/apache2/sites-available/default-ssl

 

===== Debian 8.x =====

vi /etc/apache2/sites-available/default-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile    /etc/ssl/certs/certfile.crt
SSLCertificateKeyFile /etc/ssl/private/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the following file in vi by executing the following command:

===== Debian 7.x =====

vi /etc/apache2/sites-available/default

 

===== Debian 8.x =====

vi /etc/apache2/sites-available/000-default.conf

 

Navigate to the end of the file (press SHIFT + G), and before </VirtualHost> add the following::

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Now you have to enable this configuration in Apache by executing the following command:

===== Debian 7.x =====

a2ensite default-ssl

 

===== Debian 8.x =====

a2ensite default-ssl.conf

 

Reload Apache Web Server

You need to reload Apache for the new certificate key to be used.

===== Debian 7.x =====

service apache2 reload

 

===== Debian 8.x =====

systemctl reload apache2.service

 

Firewall Rules

You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface.

iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT
apt-get install -y iptables-persistent

If prompted, answer yes to saving existing rules

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then reload the apache2 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 

 

Fedora

Prerequisites

Perform these steps to install the pre-requisite packages.

dnf install -y mod_ssl openssl
dnf update -y

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-038.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:NSW
Locality Name (eg, city) [Default City]:Sydney
Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:core-038.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/pki/tls/certs/
cp keyfile.key /etc/pki/tls/private/
chmod go-rwx /etc/pki/tls/certs/certfile.crt
chmod go-rwx /etc/pki/tls/private/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command:

vi /etc/httpd/conf.d/ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/pki/tls/certs/certfile.crt
SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command:

vi /etc/httpd/conf/httpd.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

systemctl restart httpd.service

 

Firewall Rules

You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface.

firewall-cmd --zone=FedoraServer --add-port=443/tcp
firewall-cmd --zone=FedoraServer --add-port=443/tcp --permanent

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then restart the httpd service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 
 

Arch Linux

Prerequisites

Perform these steps to install the pre-requisite packages.

pacman --noconfirm -Syyu
pacman --noconfirm -S openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-088.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-088.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/httpd/conf/
cp keyfile.key /etc/httpd/conf/
chmod go-rwx /etc/httpd/conf/certfile.crt
chmod go-rwx /etc/httpd/conf/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf/extra/httpd-ssl.conf file in vi by executing the following command:

vi /etc/httpd/conf/extra/httpd-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/httpd/conf/certfile.crt
SSLCertificateKeyFile /etc/httpd/conf/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command:

vi /etc/httpd/conf/httpd.conf

 

Find the following lines and remove the # from the beginning:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
Include conf/extra/httpd-ssl.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

systemctl daemon-reload
systemctl restart httpd.service

 

Firewall Rules

Arch Linux does not have a firewall enabled in a fresh installation. Please refer to the Arch Linux documentation on allowing TCP port 443 inbound.

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then restart the httpd service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 


 

Gentoo

Prerequisites

The existing Apache installation will already have the prerequisites installed.

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-044.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-044.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/ssl/apache2/
cp keyfile.key /etc/ssl/apache2/
chmod go-rwx /etc/ssl/apache2/certfile.crt
chmod go-rwx /etc/ssl/apache2/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /etc/apache2/vhosts.d/00_default_ssl_vhost.conf file in vi by executing the following command:

vi /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/ssl/apache2/certfile.crt
SSLCertificateKeyFile /etc/ssl/apache2/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/apache2/vhosts.d/default_vhost.include file in vi by executing the following command:

vi /etc/apache2/vhosts.d/default_vhost.include

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

service apache2 restart

 

Firewall Rules

Gentoo does not have a firewall enabled in a fresh installation. Please refer to the Arch Linux documentation on allowing TCP port 443 inbound.

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/apache2/vhosts.d/default_vhost.include file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then restart the apache2 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 

 

FreeBSD

Prerequisites

Perform these steps to install the pre-requisite packages.

pkg install -y openssl

 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-037.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-037.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /usr/local/etc/apache24/
cp keyfile.key /usr/local/etc/apache24/
chmod go-rwx /usr/local/etc/apache24/certfile.crt
chmod go-rwx /usr/local/etc/apache24/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /usr/local/etc/apache24/extra/httpd-ssl.conf file in vi by executing the following command:

vi /usr/local/etc/apache24/extra/httpd-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /usr/local/etc/apache24/certfile.crt
SSLCertificateKeyFile /usr/local/etc/apache24/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /usr/local/etc/apache24/httpd.conf file in vi by executing the following command:

vi /usr/local/etc/apache24/httpd.conf

 

Find the following lines and remove the # from the beginning:

LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
Include etc/apache24/extra/httpd-ssl.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

service apache24 restart

 

Firewall Rules

Please refer to the FreeBSD documentation for information on how to enable or configure IP Filter to allow TCP port 80 inbound.

Documentation - Firewalls

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /usr/local/etc/apache24/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then restart the apache24 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 

 

Solaris

Tested with Solaris 11.

Prerequisites

The prerequisite packages should already be installed when installing Nagios Core as per:

Documentation - Installing Nagios Core From Source

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-041.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:AU
State or Province Name (full name) []:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) []:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-041.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

cp certfile.crt /etc/apache2/2.2/
cp keyfile.key /etc/apache2/2.2/
chmod go-rwx /etc/apache2/2.2/certfile.crt
chmod go-rwx /etc/apache2/2.2/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. There is a sample ssl.conf file that will be copied and then modified. Execute the following commands:

cp /etc/apache2/2.2/samples-conf.d/ssl.conf /etc/apache2/2.2/conf.d/
chmod +w /etc/apache2/2.2/conf.d/ssl.conf
vi /etc/apache2/2.2/conf.d/ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /etc/apache2/2.2/certfile.crt
SSLCertificateKeyFile /etc/apache2/2.2/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /etc/apache2/2.2/httpd.conf file in vi by executing the following command:

vi /etc/apache2/2.2/httpd.conf

 

Add the following lines to the end of the file (press SHIFT + G):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

svcadm disable apache22
svcadm enable apache22

 

Firewall Rules

On a manually networked system, IP Filter is not enabled by default. Please refer to the Solaris documentation for information on how to enable or configure IP Filter to allow TCP port 443 inbound.

Documentation - Configuring IP Filter

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/apache2/2.2/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then disable + enable the apache22 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 

 

 

Apple OS X

Prerequisites

The prerequisite packages should already be installed when installing Nagios Core as per:

Documentation - Installing Nagios Core From Source
 

All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: 

cd ~

 

Generate Private Key File

The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048

 

That would have generated some random text.

 

Generate Certificate Request File

Next you will generate the certificate request file by executing the following command:

openssl req -new -key keyfile.key -out certrequest.csr

 

You will need to supply some values, some can be left blank, however the most important value is the Common Name. In the example below you can see that core-063.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

The following is an example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:core-063.domain.local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

As you can see above a password was not supplied, it is not necessary.

 

Sign Certificate Request

At this point you have created a certificate request that needs to be signed by a CA.


Using A Trusted CA Company

If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command:

cat certrequest.csr

 
You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor:

vi certfile.crt

 
You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file.

Save the file and close vi.

You can now proceed to the Copy Files step.

 

Using A Microsoft Windows CA

If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597

After following the KB article you will have the certfile.crt file and you can proceed to the Copy Files step.

 

Self Signing The Certificate

You can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

 
Which should produce output saying the Signature was OK and it was Getting Private Key.

Note: When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

Copy Files

You need to copy the certificate files to the correct location and set permissions, execute the following commands:

sudo cp certfile.crt /opt/local/apache2/conf/
sudo cp keyfile.key /opt/local/apache2/conf/
sudo chmod go-rwx /opt/local/apache2/conf/certfile.crt
sudo chmod go-rwx /opt/local/apache2/conf/keyfile.key

 

Update Apache Configuration

Now you have to tell the Apache web server where to look for it. Open the /opt/local/apache2/conf/extra/httpd-ssl.conf file in vi by executing the following command:

sudo vi /opt/local/apache2/conf/extra/httpd-ssl.conf

 

Find these lines and update them as follows:

SSLCertificateFile /opt/local/apache2/conf/certfile.crt
SSLCertificateKeyFile /opt/local/apache2/conf/keyfile.key

 
Tip: typing /eFile and pressing Enter in vi should take you directly to this section in the file.

 

Save the changes, you have finished editing this file. 

 

Open the /opt/local/apache2/conf/httpd.conf file in vi by executing the following command:

sudo vi /opt/local/apache2/conf/httpd.conf

 

Add the following lines to the end of the file (press SHIFT + G):

Include /opt/local/apache2/conf/extra/httpd-ssl.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Save the changes, you have finished editing this file.

 

Restart Apache Web Server

You need to restart Apache for the new certificate key to be used.

sudo port reload apache2

 

Firewall Rules

The firewall in OS X is turned off by default. Please refer to the Apple documentation for information on how to enable or configure TCP port 443 inbound.

 

Test Certificate

Now test your connection to the server by directing your web browser to https://yourservername/.

Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598

If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed.

 

Notes On Redirecting

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /opt/local/apache2/conf/httpd.conf file.

RewriteRule (.*) https://yourservername.yourdomain.com%{REQUEST_URI}


Then reload the apache2 service.

More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598
 

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

5 (1)
Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
SSL/TLS - Signing Certificates With A Microsoft Certificate Authority
Viewed 24911 times since Wed, Jun 14, 2017
Nagios Core - Configuration Overview
Viewed 10479 times since Sun, Jan 31, 2016
Nagios Core - Large Installation Tweaks
Viewed 4746 times since Mon, Feb 1, 2016
Nagios Core - Enhanced CGI Security and Authentication
Viewed 5218 times since Mon, Feb 1, 2016
SSL/TLS - Understanding Certificate Warnings
Viewed 33066 times since Wed, Jun 14, 2017
Nagios Core - Custom CGI Headers and Footers
Viewed 7918 times since Mon, Feb 1, 2016
Nagios Core - Passive Host State Translation
Viewed 4259 times since Mon, Feb 1, 2016
Nagios Core - Starting and Stopping Nagios
Viewed 3767 times since Sun, Jan 31, 2016
Nagios Core - Authentication And Authorization In The CGIs
Viewed 6620 times since Sun, Jan 31, 2016
Nagios Core - Tuning Nagios For Maximum Performance
Viewed 5497 times since Mon, Feb 1, 2016