This documentation can used to generate a request that can be submitted to any of these CA types.

Similar documents
An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA

Article Number: 602 Rating: Unrated Last Updated: Tue, Jan 2, 2018 at 5:13 PM

Purpose. Target Audience. Overview. Prerequisites. Nagios Log Server. Sending NXLogs With SSL/TLS

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

This guide is broken up into several sections and covers different Linux distributions and non- Linux operating systems.

Purpose. Target Audience. Solution Overview NCPA. Using NCPA For Passive Checks

2. Installing OpenBiblio 1.0 on a Windows computer

Purpose. Target Audience. Install SNMP On The Remote Linux Machine. Nagios XI. Monitoring Linux Using SNMP

Article Number: 802 Rating: 4/5 from 1 votes Last Updated: Wed, Mar 7, 2018 at 5:20 PM

Your Apache ssl.conf in /etc/httpd.conf.d directory has the following SSLCertificate related directives.

Article Number: 801 Rating: Unrated Last Updated: Tue, Mar 13, 2018 at 9:19 PM

Offloading NDO2DB To Remote Server

شرکت توسعه ارتباطات پردیس پارس. owncloud. The last file sharing platform you'll ever need

Article Number: 569 Rating: 2.7/5 from 3 votes Last Updated: Tue, Sep 12, 2017 at 2:54 AM

Installing an SSL certificate on your server

Controller Installation

Bitnami Pimcore for Huawei Enterprise Cloud

Bitnami ez Publish for Huawei Enterprise Cloud

Secure Websites Using SSL And Certificates

Bitnami Tiny Tiny RSS for Huawei Enterprise Cloud

Bitnami Piwik for Huawei Enterprise Cloud

Bitnami Re:dash for Huawei Enterprise Cloud

Setting up the Apache Web Server

Bitnami Dolibarr for Huawei Enterprise Cloud

Bitnami Coppermine for Huawei Enterprise Cloud

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

Bitnami OroCRM for Huawei Enterprise Cloud

Orchid Core VMS Installation Guide

Bitnami ProcessMaker Community Edition for Huawei Enterprise Cloud

Mac OSX Certificate Enrollment Procedure

Authenticating and Importing Users with Active Directory and LDAP

Orchid Fusion VMS Installation Guide

Authenticating and Importing Users with AD and LDAP

Public-key Infrastructure

Bitnami TestLink for Huawei Enterprise Cloud

Bitnami OSQA for Huawei Enterprise Cloud

Bitnami Mantis for Huawei Enterprise Cloud

Bitnami ERPNext for Huawei Enterprise Cloud

Fasthosts Customer Support Generating Certificate Signing Requests

This document is intended for use by Nagios Administrators that want to use Slack for notifications.

MSE System and Appliance Hardening Guidelines

SSL Configuration: an example. July 2016

Public-Key Infrastructure (PKI) Lab

Authenticating and Importing Users with AD and LDAP

Install some base packages. I recommend following this guide as root on a new VPS or using sudo su, it will make running setup just a touch easier.

Generating Certificate Signing Requests

Practical Exercise: Smartcard-based authentication in HTTP

14. Configuring Telnet in Knoppix

Public-key Infrastructure

Genesys Interaction Recording Solution Guide. WebDAV Requirements

Bitnami Open Atrium for Huawei Enterprise Cloud

UCON-IP-NEO Operation Web Interface

Public-key Infrastructure

Moab Viewpoint. Reference Guide August 2016

Bitnami Spree for Huawei Enterprise Cloud

Red Hat Enterprise Linux 7 Getting Started with Cockpit

SSL, Credit Card Transactions. CS174 Chris Pollett Nov. 5, 2007.

How to Enable Client Certificate Authentication on Avi

Teradici PCoIP Connection Manager 1.8 and Security Gateway 1.14

Server software page. Certificate Signing Request (CSR) Generation. Software

Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients

Apache Httpd Manual Conf Virtualhost Redirect

Linux Postfix Smtp (mail Server) Ssl Certificate Installation And Configuration

Spreedbox Getting Started Guide

Deltek Maconomy. Navigator Installation

eroaming platform Secure Connection Guide

Offloading MySQL to Remote Server

Bitnami Phabricator for Huawei Enterprise Cloud

VIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0

Bitnami Trac for Huawei Enterprise Cloud

mobilefish.com Create self signed certificates with Subject Alternative Names

Installing SmartSense on HDP

Moab Viewpoint. Administrator Guide October 2015 Revised December 15, 2015

Image Management Service. User Guide. Issue 03. Date

Bitnami JFrog Artifactory for Huawei Enterprise Cloud

Red Hat Gluster Storage 3.3

HTTPS Setup using mod_ssl on CentOS 5.8. Jeong Chul. tland12.wordpress.com. Computer Science ITC and RUPP in Cambodia

CA Nimsoft Unified Management Portal

Getting Started with the VQE Startup Configuration Utility

Exercises Basics of Web Security Experiential Learning Workshop

Downloading and installing Db2 Developer Community Edition on Red Hat Enterprise Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

SCCM Plug-in User Guide. Version 3.0

Bitnami Moodle for Huawei Enterprise Cloud

UCServer Webservice Release. Best Practice

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

Red Hat Enterprise Linux Atomic Host 7 Getting Started with Cockpit

VIRTUAL GPU LICENSE SERVER VERSION AND 5.1.0

Install Apache, PHP And MySQL On CentOS 7 (LAMP)

Securing Communications with your Apache HTTP Server. Lars Eilebrecht

Flush Dns Settings Linux Redhat 5 Step Step

GateDefender Performa updates from a local Web server

Nimsoft Unified Management Portal

Bitnami DokuWiki for Huawei Enterprise Cloud

Red Hat Ceph Storage 3

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Certificate service - test bench. Project to establish the National Incomes Register

Using SSL/TLS with Active Directory / LDAP

Article Number: 406 Rating: 3/5 from 2 votes Last Updated: Mon, Jun 5, 2017 at 3:08 AM. This document describes how to install NDOUtils from source.

Client Authenticated SSL Server Setup Guide for Apache Webservers

HPE Knowledge Article

Transcription:

Nagios Core - Configuring SSL/TLS Article Number: 595 Rating: 5/5 from 1 votes Last Updated: Thu, Jul 20, 2017 at 8:09 PM C o nf igur ing S S L/TLS Fo r Na gio s C o r e This KB article describes how to configure your Nagios Core server to use certificates for SSL/TLS. This KB article is also to be used an initial point for troubleshooting SSL/TLS connections. This guide is broken up into several sections and covers different operating system (OS) distributions. If your OS Distribution is not included in this guide then please contact us to see if we can get it added. Some distributions may be missing as we don't have access to a test environment that allows us to develop the documentation. Nagios Core 4.3.2 is the version used when creating this KB article. No te : This guide is based on Nagios Core being installed using the following KB article: Documentation - Installing Nagios Core From Source Te rmino lo gy For your information: SSL = Secure Sockets Layer TLS = Transport Layer Security TLS replaces SSL, however the tools used to implement both generally use SSL in their name/directives. For simplicity reasons, the rest of this KB article will use the term SSL. To implement SSL you need to generate a certificate. When you generate a certificate, you create a request that needs to be signed by a Certificate Authority (CA). This CA can be: A trusted company like VeriSign An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA The Nagios Core server itself (self signed) The CA will then provide you with a signed certificate. This documentation can used to generate a request that can be submitted to any of these CA types. Edit ing File s In many steps of this article you will be required to edit files. This documentation will use the vi text editor. When using the vi editor: To make changes press i on the keyboard first to enter insert mode Press Esc to exit insert mode When you have finished, save the changes in vi by typing :wq and press Enter Please select your OS:

Red Hat Enterprise Linux (RHEL) CentOS Oracle Linux Ubuntu SUSE SLES opensuse Leap Debian Raspbian Fedora Arch Linux Gentoo FreeBSD Solaris Apple OS X C e nt O S RHEL O r a c le Linux Pre re quis it e s Perform these steps to install the pre- requisite packages. yum install -y mod_ssl openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr

You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-013.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AU State or Province Name (full name) []:NSW Locality Name (eg, city) [Default City]:Sydney Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:core-013.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi.

You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/pki/tls/certs/ cp keyfile.key /etc/pki/tls/private/ chmod go-rwx /etc/pki/tls/certs/certfile.crt chmod go-rwx /etc/pki/tls/private/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command: vi /etc/httpd/conf.d/ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/pki/tls/certs/certfile.crt SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf

Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. ===== CentOS 5.x / 6.x RHEL 5.x / 6.x Oracle Linux 5.x / 6.x ===== service httpd restart ===== CentOS 7.x RHEL 7.x Oracle Linux 7.x ===== systemctl restart httpd.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. ===== CentOS 5.x / 6.x RHEL 5.x / 6.x Oracle Linux 5.x / 6.x ===== iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT service iptables save ip6tables -I INPUT -p tcp --destination-port 443 -j ACCEPT service ip6tables save ===== CentOS 7.x RHEL 7.x Oracle Linux 7.x ===== firewall-cmd --zone=public --add-port=443/tcp firewall-cmd --zone=public --add-port=443/tcp --permanent Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing

With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri} Then restart the httpd service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 Ubunt u Pre re quis it e s Perform these steps to install the pre- requisite packages. sudo apt-get update sudo apt-get install -y openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-047.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-047.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step.

S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: sudo cp certfile.crt /etc/ssl/certs/ sudo cp keyfile.key /etc/ssl/private/ sudo chmod go-rwx /etc/ssl/certs/certfile.crt sudo chmod go-rwx /etc/ssl/private/keyfile.key Updat e Apac he C o nf igurat io n Enable the mod_ssl module in Apache by executing the following command: sudo a2enmod ssl sudo a2enmod rewrite Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command: ===== Ubuntu 13.x ===== sudo vi /etc/apache2/sites-available/default-ssl ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo vi /etc/apache2/sites-available/default-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/ssl/certs/certfile.crt SSLCertificateKeyFile /etc/ssl/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the following file in vi by executing the following command: ===== Ubuntu 13.x ===== sudo vi /etc/apache2/sites-available/default

sudo vi /etc/apache2/sites-available/default ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo vi /etc/apache2/sites-available/000-default.conf Navigate to the end of the file (press S HIFT + G ), and before </VirtualHost> add the following:: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Now you have to enable this configuration in Apache by executing the following command: ===== Ubuntu 13.x ===== sudo a2ensite default-ssl ===== Ubuntu 14.x / 15.x / 16.x / 17.x ===== sudo a2ensite default-ssl.conf Re lo ad Apac he We b Se rve r You need to reload Apache for the new certificate key to be used. ===== Ubuntu 13.x / 14.x ===== sudo service apache2 reload ===== Ubuntu 15.x / 16.x / 17.x ===== sudo systemctl reload apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. sudo ufw allow https sudo ufw reload Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri} Then reload the apache2 service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 S US E S LES o pe ns US E Le a p Pre re quis it e s Perform these steps to install the pre- requisite packages. sudo zypper --non-interactive install openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n

You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-045.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-045.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step.

You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: sudo cp certfile.crt /etc/apache2/ssl.crt/ sudo cp keyfile.key /etc/apache2/ssl.key/ sudo chmod go-rwx /etc/apache2/ssl.crt/certfile.crt sudo chmod go-rwx /etc/apache2/ssl.key/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. There is a template vhost-ssl.template file that will be copied and then modified. Execute the following commands: sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf sudo vi /etc/apache2/vhosts.d/vhost-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/apache2/ssl.crt/certfile.crt SSLCertificateKeyFile /etc/apache2/ssl.key/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/apache2/default-server.conf file in vi by executing the following command: sudo vi /etc/apache2/default-server.conf Add the following lines to the end of the file (press S HIFT + G ):

Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Now you have to enable SSL in Apache by executing the following commands: sudo /usr/sbin/a2enmod rewrite sudo /usr/sbin/a2enmod ssl sudo /usr/sbin/a2enflag SSL Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. ===== SUSE SLES 11.x ===== sudo /sbin/service apache2 restart ===== SUSE SLES 12.x opensuse ===== sudo systemctl restart apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. ===== SUSE SLES 11.x ===== Port 443 is enabled when Apache is configure, nothing needs to be done. ===== SUSE SLES 12.x ===== sudo /usr/sbin/susefirewall2 open EXT TCP 443 sudo systemctl restart SuSEfirewall2.service ===== opensuse ===== Port 443 is enabled when Apache is configure, nothing needs to be done. Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web

see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri} Then reload the apache2 service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 De bia n Ra s pbia n All steps on Debian require to run as root. To become root simply run: Debian: su Raspbian: sudo -i All commands from this point onwards will be as root. Pre re quis it e s Perform these steps to install the pre- requisite packages. apt-get update apt-get install -y openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command:

openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-033.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-033.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with

You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/ssl/certs/ cp keyfile.key /etc/ssl/private/ chmod go-rwx /etc/ssl/certs/certfile.crt chmod go-rwx /etc/ssl/private/keyfile.key Updat e Apac he C o nf igurat io n Enable the mod_ssl module in Apache by executing the following command: sudo a2enmod ssl sudo a2enmod rewrite Now you have to tell the Apache web server where to look for it. Open the following file in vi by executing the following command: ===== Debian 7.x =====

vi /etc/apache2/sites-available/default-ssl ===== Debian 8.x ===== vi /etc/apache2/sites-available/default-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/ssl/certs/certfile.crt SSLCertificateKeyFile /etc/ssl/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the following file in vi by executing the following command: ===== Debian 7.x ===== vi /etc/apache2/sites-available/default ===== Debian 8.x ===== vi /etc/apache2/sites-available/000-default.conf Navigate to the end of the file (press S HIFT + G ), and before </VirtualHost> add the following:: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Now you have to enable this configuration in Apache by executing the following command: ===== Debian 7.x ===== a2ensite default-ssl ===== Debian 8.x ===== a2ensite default-ssl.conf Re lo ad Apac he We b Se rve r You need to reload Apache for the new certificate key to be used.

===== Debian 7.x ===== service apache2 reload ===== Debian 8.x ===== systemctl reload apache2.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT apt-get install -y iptables-persistent If prompted, answer yes to saving existing rules Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri} Then reload the apache2 service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 Fe do r a Pre re quis it e s Perform these steps to install the pre- requisite packages. dnf install -y mod_ssl openssl

dnf install -y mod_ssl openssl dnf update -y All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-038.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AU State or Province Name (full name) []:NSW Locality Name (eg, city) [Default City]:Sydney Organization Name (eg, company) [Default Company Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:core-038.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary.

Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/pki/tls/certs/ cp keyfile.key /etc/pki/tls/private/ chmod go-rwx /etc/pki/tls/certs/certfile.crt chmod go-rwx /etc/pki/tls/private/keyfile.key

Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf.d/ssl.conf file in vi by executing the following command: vi /etc/httpd/conf.d/ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/pki/tls/certs/certfile.crt SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. systemctl restart httpd.service Fire wall Rule s You need to allow port 443 inbound traffic on the local firewall so you can reach the Nagios Core web interface. firewall-cmd --zone=fedoraserver --add-port=443/tcp firewall-cmd --zone=fedoraserver --add-port=443/tcp --permanent Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works.

You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri} Then restart the httpd service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 Ar c h Linux Pre re quis it e s Perform these steps to install the pre- requisite packages. pacman --noconfirm -Syyu pacman --noconfirm -S openssl All of the remaining steps will be performed from within the root user's home directory to ensure the files you create are not accessible to anyone except the root user. Change into the home directory with this command: cd ~ G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr

You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-088.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-088.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi.

You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/httpd/conf/ cp keyfile.key /etc/httpd/conf/ chmod go-rwx /etc/httpd/conf/certfile.crt chmod go-rwx /etc/httpd/conf/keyfile.key Updat e Apac he C o nf igurat io n Now you have to tell the Apache web server where to look for it. Open the /etc/httpd/conf/extra/httpdssl.conf file in vi by executing the following command: vi /etc/httpd/conf/extra/httpd-ssl.conf Find these lines and update them as follows: SSLCertificateFile /etc/httpd/conf/certfile.crt SSLCertificateKeyFile /etc/httpd/conf/keyfile.key Tip : typing /efile and pressing Enter in vi should take you directly to this section in the file. Save the changes, you have finished editing this file. Open the /etc/httpd/conf/httpd.conf file in vi by executing the following command: vi /etc/httpd/conf/httpd.conf

Find the following lines and remove the # from the beginning: LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule rewrite_module modules/mod_rewrite.so Include conf/extra/httpd-ssl.conf Add the following lines to the end of the file (press S HIFT + G ): RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{http_host}%{request_uri} Save the changes, you have finished editing this file. Re s t art Apac he We b Se rve r You need to restart Apache for the new certificate key to be used. systemctl daemon-reload systemctl restart httpd.service Fire wall Rule s Arch Linux does not have a firewall enabled in a fresh installation. Please refer to the Arch Linux documentation on allowing TCP port 443 inbound. Te s t C e rt if ic at e Now test your connection to the server by directing your web browser to https://yourservername/. Note: There is no nagios/ extension in the URL, you are just testing a connection to Apache to see if the certificate works. You may get a self signed certificate warning, but that is OK, you can just add a security exception. If is working you'll see the Apache test web page. You will now be able to access your Nagios Core server by directing your web browser to https://yourservername/nagios/. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 If it returns an error check your firewall and backtrack through this document, making sure you've performed all the steps listed. No t e s On Re dire c t ing With this configuration, if a user types http://yourservername in their web browser, it will redirect them to https://yourservername which can cause certificate warnings. If you wanted to redirect them to https://yourservername.yourdomain.com then you simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file. RewriteRule (.*) https://yourservername.yourdomain.com%{request_uri}

Then restart the httpd service. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 G e nt o o Pre re quis it e s The existing Apache installation will already have the prerequisites installed. G e ne rat e Privat e Ke y File The first step is to generate the private key file, execute the following command: openssl genrsa -out keyfile.key 2048 That would have generated some random text. G e ne rat e C e rt if ic at e Re que s t File Next you will generate the certificate request file by executing the following command: openssl req -new -key keyfile.key -out certrequest.csr You will need to supply some values, some can be left blank, however the most important value is the C o mmo n Na me. In the example below you can see that core-044.domain.local has been used which means that when you access the Nagios Core server in your web browser, this is the address you will need to use. This is particularly important, if these don't match then you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 The following is an example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Pty Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core-044.domain.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

As you can see above a password was not supplied, it is not necessary. Sign C e rt if ic at e Re que s t At this point you have created a certificate request that needs to be signed by a CA. Us ing A Trus te d C A C o mp a ny If you are going to use a trusted company like VeriSign to provide you with a certificate you will need to send them a copy of the certificate request. This can be viewed by executing the following command: cat certrequest.csr You'll get a lot of random text, this is what you will need to provide to your trusted CA. You must provide the CA with everything including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST---- - lines. Once they send you the signed certificate you will need to copy the certificate into a new file called certfile.crt. The certificate you receive will also be a lot of random text, so you can just paste that text into the new file which you can open with the vi editor: vi certfile.crt You must paste everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines when pasting them into the file. Save the file and close vi. You can now proceed to the C o p y File s step. Us ing A Mic ro s o ft Wind o ws C A If you are going to use a Microsoft Windows CA to sign your certificate request please follow the steps in this KB article: https://support.nagios.com/kb/article.php?id=597 After following the KB article you will have the certfile.crt file and you can proceed to the C o p y File s step. S e lf S ig ning The C e rtific a te You can also self- sign the certificate by executing the following command: openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt Which should produce output saying the Signature was OK and it was Getting Private Key. No te : When you self sign a certificate you will get warnings in your web browser. More detailed information about this can be found in the following KB article: https://support.nagios.com/kb/article.php?id=598 C o py File s You need to copy the certificate files to the correct location and set permissions, execute the following commands: cp certfile.crt /etc/ssl/apache2/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback