Configuring SSL/TLS on Nagios

Posted on by JBOD

This post describes how to configure SSL/TLS on your Nagios server. During the initial setup, I’m using CentOS 7.x.

yum install -y mod_ssl openssl

Next, go to root’s home directory. If you are not logged in as root, go ahead and do so.

cd ~

Next will need to generate a Private Key File. This can be done with the following command. You will see some random characters in your terminal sessions.

openssl genrsa -out keyfile.key 2048

Next will need to generate a cert request file. It can be done by entering the following command. You be asked for some information, this if for the cert.

When you are asked for the common name, make sure that you enter the host servers name. Also, the challenge password is not needed.

openssl req -new -key keyfile.key -out certrequest.csr

So now you have created a cert request, you’ll need to copy past the file contents of the certrequest into it. It will look something like this. But with random characters.

-----BEGIN CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE REQUEST-----

After you have copied the contents of the file you can self sign the cert. If you are self signing the cert, go ahead and use the following commands.

openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt

Next you will need to copy the files to these epecific locations

cp certfile.crt /etc/pki/tls/certs/
cp keyfile.key /etc/pki/tls/private/
chmod go-rwx /etc/pki/tls/certs/certfile.crt
chmod go-rwx /etc/pki/tls/private/keyfile.key

Once you have copied and chmod’ed the files.  you will need to edit the Apache configuration file.

/etc/httpd/conf.d/ssl.conf

Look for these specifc lines in the config file. You will need to edit these lines to match the path where the crt and key files are.

SSLCertificateFile
SSLCertificateKeyFile

Finally, you will need to edit the httpd.conf file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

once done, you’ll need to add the firewall rules.

firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp --permanent

Once the rules have been added, go ahead and restart httpd.service.

By adding the following line into the httd.conf file, it will redirect the connection over port 443 or HTTPS.

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Published by JBOD

Sysadmin, Systems Engineer, DevOps, ISSE and more