This documentation can used to generate a request that can be submitted to any of these CA types.

Transcription

1 Nagios Core - Configuring SSL/TLS Article Number: 595 Rating: 5/5 from 1 votes Last Updated: Thu, Jul 20, 2017 at 8:09 PM C o nf igur ing S S L/TLS Fo r Na gio s C o r e This KB article describes how to configure your Nagios Core server to use certificates for SSL/TLS. This KB article is also to be used an initial point for troubleshooting SSL/TLS connections. This guide is broken up into several sections and covers different operating system (OS) distributions. If your OS Distribution is not included in this guide then please contact us to see if we can get it added. Some distributions may be missing as we don't have access to a test environment that allows us to develop the documentation. Nagios Core is the version used when creating this KB article. No te : This guide is based on Nagios Core being installed using the following KB article: Documentation - Installing Nagios Core From Source Te rmino lo gy For your information: SSL = Secure Sockets Layer TLS = Transport Layer Security TLS replaces SSL, however the tools used to implement both generally use SSL in their name/directives. For simplicity reasons, the rest of this KB article will use the term SSL. To implement SSL you need to generate a certificate. When you generate a certificate, you create a request that needs to be signed by a Certificate Authority (CA). This CA can be: A trusted company like VeriSign An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA The Nagios Core server itself (self signed) The CA will then provide you with a signed certificate. This documentation can used to generate a request that can be submitted to any of these CA types. Edit ing File s In many steps of this article you will be required to edit files. This documentation will use the vi text editor. When using the vi editor: To make changes press i on the keyboard first to enter insert mode Press Esc to exit insert mode When you have finished, save the changes in vi by typing :wq and press Enter Please select your OS:

2 Red Hat Enterprise Linux (RHEL) CentOS Oracle Linux Ubuntu SUSE SLES opensuse Leap Debian Raspbian Fedora Arch Linux Gentoo FreeBSD Solaris Apple OS X C e nt O S RHEL O r a c le Linux Pre re quis it e s Perform these steps to install the pre- requisite packages. yum install -y mod_ssl openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr

3 You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-013.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [XX]:AU State or Province Name (full name) []:NSW Locality Name (eg, city) [Default City]:Sydney Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:core-013.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi.

4 You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/pki/tls/certs/ cp keyfile.key /etc/pki/tls/private/ chmod go-rwx /etc/pki/tls/certs/certfile.crt chmod go-rwx /etc/pki/tls/private/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command: vi /etc/httpd/conf.d/ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/pki/tls/certs/certfile.crt SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf

5 Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. ===== CentOS 5.x / 6.x RHEL 5.x / 6.x Oracle Linux 5.x / 6.x ===== service httpd restart ===== CentOS 7.x RHEL 7.x Oracle Linux 7.x ===== systemctl restart httpd.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. ===== CentOS 5.x / 6.x RHEL 5.x / 6.x Oracle Linux 5.x / 6.x ===== iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT service iptables save ip6tables -I INPUT -p tcp --destination-port 443 -j ACCEPT service ip6tables save ===== CentOS 7.x RHEL 7.x Oracle Linux 7.x ===== firewall-cmd --zone=public --add-port=443/tcp firewall-cmd --zone=public --add-port=443/tcp --permanent Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing

6 With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*) Then restart the httpd service. More detailed information about this can be found in the following KB article: Ubunt u Pre re quis it e s Perform these steps to install the pre- requisite packages. sudo apt-get update sudo apt-get install -y openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-047.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request.

7 What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-047.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step.

8 S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: sudo cp certfile.crt /etc/ssl/certs/ sudo cp keyfile.key /etc/ssl/private/ sudo chmod go-rwx /etc/ssl/certs/certfile.crt sudo chmod go-rwx /etc/ssl/private/keyfile.key Updat e Apac he C o nf igurat io n Enable the mod_ssl module in Apache by executing the following command: sudo a2enmod ssl sudo a2enmod rewrite Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command: ===== Ubuntu 13.x ===== sudo vi /etc/apache2/sites-available/default-ssl ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo vi /etc/apache2/sites-available/default-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/ssl/certs/certfile.crt SSLCertificateKeyFile /etc/ssl/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the following file in vi by executing the following command: ===== Ubuntu 13.x ===== sudo vi /etc/apache2/sites-available/default

9 sudo vi /etc/apache2/sites-available/default ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo vi /etc/apache2/sites-available/000-default.conf Navigate to the end of the file (press S HIFT + G ), and before </VirtualHost> add the following:: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Now you have to enable this configuration in Apache by executing the following command: ===== Ubuntu 13.x ===== sudo a2ensite default-ssl ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo a2ensite default-ssl.conf Re lo ad Apac he We b Se rve r You need to reload Apache for the new certificate key to be used. ===== Ubuntu 13.x / 14.x ===== sudo service apache2 reload ===== Ubuntu 15.x / 16.x / 17.x ===== sudo systemctl reload apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. sudo ufw allow https sudo ufw reload Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

10 You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule. RewriteRule (.*) Then reload the apache2 service. More detailed information about this can be found in the following KB article: S US E S LES o pe ns US E Le a p Pre re quis it e s Perform these steps to install the pre- requisite packages. sudo zypper --non-interactive install openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n

11 You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-045.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-045.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step.

12 You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: sudo cp certfile.crt /etc/apache2/ssl.crt/ sudo cp keyfile.key /etc/apache2/ssl.key/ sudo chmod go-rwx /etc/apache2/ssl.crt/certfile.crt sudo chmod go-rwx /etc/apache2/ssl.key/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. There is a template vhost-ssl.template file that will be copied and then modified. Execute the following commands: sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf sudo vi /etc/apache2/vhosts.d/vhost-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/apache2/ssl.crt/certfile.crt SSLCertificateKeyFile /etc/apache2/ssl.key/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/apache2/default-server.conf file in vi by executing the following command: sudo vi /etc/apache2/default-server.conf Add the following lines to the end of the file (press S HIFT + G ):

13 Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Now you have to enable SSL in Apache by executing the following commands: sudo /usr/sbin/a2enmod rewrite sudo /usr/sbin/a2enmod ssl sudo /usr/sbin/a2enflag SSL Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. ===== SUSE SLES 11.x ===== sudo /sbin/service apache2 restart ===== SUSE SLES 12.x opensuse ===== sudo systemctl restart apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. ===== SUSE SLES 11.x ===== Port 443 is enabled when Apache is configure, nothing needs to be done. ===== SUSE SLES 12.x ===== sudo /usr/sbin/susefirewall2 open EXT TCP 443 sudo systemctl restart SuSEfirewall2.service ===== opensuse ===== Port 443 is enabled when Apache is configure, nothing needs to be done. Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web

14 see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule. RewriteRule (.*) Then reload the apache2 service. More detailed information about this can be found in the following KB article: De bia n Ra s pbia n All steps on Debian require to run as root. To become root simply run: Debian: su Raspbian: sudo -i All commands from this point onwards will be as root. Pre re quis it e s Perform these steps to install the pre- requisite packages. apt-get update apt-get install -y openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command:

15 openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-033.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-033.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with

16 You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/ssl/certs/ cp keyfile.key /etc/ssl/private/ chmod go-rwx /etc/ssl/certs/certfile.crt chmod go-rwx /etc/ssl/private/keyfile.key Updat e Apac he C o nf igurat io n Enable the mod_ssl module in Apache by executing the following command: sudo a2enmod ssl sudo a2enmod rewrite Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command: ===== Debian 7.x =====

17 vi /etc/apache2/sites-available/default-ssl ===== Debian 8.x ===== vi /etc/apache2/sites-available/default-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/ssl/certs/certfile.crt SSLCertificateKeyFile /etc/ssl/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the following file in vi by executing the following command: ===== Debian 7.x ===== vi /etc/apache2/sites-available/default ===== Debian 8.x ===== vi /etc/apache2/sites-available/000-default.conf Navigate to the end of the file (press S HIFT + G ), and before </VirtualHost> add the following:: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Now you have to enable this configuration in Apache by executing the following command: ===== Debian 7.x ===== a2ensite default-ssl ===== Debian 8.x ===== a2ensite default-ssl.conf Re lo ad Apac he We b Se rve r You need to reload Apache for the new certificate key to be used.

18 ===== Debian 7.x ===== service apache2 reload ===== Debian 8.x ===== systemctl reload apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT apt-get install -y iptables-persistent If prompted, answer yes to saving existing rules Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule. RewriteRule (.*) Then reload the apache2 service. More detailed information about this can be found in the following KB article: Fe do r a Pre re quis it e s Perform these steps to install the pre- requisite packages. dnf install -y mod_ssl openssl

19 dnf install -y mod_ssl openssl dnf update -y All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-038.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [XX]:AU State or Province Name (full name) []:NSW Locality Name (eg, city) [Default City]:Sydney Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:core-038.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary.

20 Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/pki/tls/certs/ cp keyfile.key /etc/pki/tls/private/ chmod go-rwx /etc/pki/tls/certs/certfile.crt chmod go-rwx /etc/pki/tls/private/keyfile.key

21 Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command: vi /etc/httpd/conf.d/ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/pki/tls/certs/certfile.crt SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. systemctl restart httpd.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. firewall-cmd --zone=fedoraserver --add-port=443/tcp firewall-cmd --zone=fedoraserver --add-port=443/tcp --permanent Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

22 You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*) Then restart the httpd service. More detailed information about this can be found in the following KB article: Ar c h Linux Pre re quis it e s Perform these steps to install the pre- requisite packages. pacman --noconfirm -Syyu pacman --noconfirm -S openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr

23 You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-088.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-088.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi.

24 You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/httpd/conf/ cp keyfile.key /etc/httpd/conf/ chmod go-rwx /etc/httpd/conf/certfile.crt chmod go-rwx /etc/httpd/conf/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf/extra/httpdssl.conf file in vi by executing the following command: vi /etc/httpd/conf/extra/httpd-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/httpd/conf/certfile.crt SSLCertificateKeyFile /etc/httpd/conf/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf

25 Find the following lines and remove the # from the beginning: LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule rewrite_module modules/mod_rewrite.so Include conf/extra/httpd-ssl.conf Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. systemctl daemon-reload systemctl restart httpd.service Fire wall Rule s Arch Linux does not have a firewall enabled in a fresh installation. Please refer to the Arch Linux documentation on allowing TCP port 443 inbound. Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to More detailed information about this can be found in the following KB article: If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types in their web browser, it will redirect them to which can cause certificate warnings. If you wanted to redirect them to then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*)

26 Then restart the httpd service. More detailed information about this can be found in the following KB article: G e nt o o Pre re quis it e s The existing Apache installation will already have the prerequisites installed. G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-044.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-044.domain.local Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

27 As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/ssl/apache2/