This post describes how to configure SSL/TLS on your Nagios server. During the initial setup, I’m using CentOS 7.x.
yum install -y mod_ssl openssl
Next, go to root’s home directory. If you are not logged in as root, go ahead and do so.
cd ~
Next will need to generate a Private Key File. This can be done with the following command. You will see some random characters in your terminal sessions.
openssl genrsa -out keyfile.key 2048
Next will need to generate a cert request file. It can be done by entering the following command. You be asked for some information, this if for the cert.
When you are asked for the common name, make sure that you enter the host servers name. Also, the challenge password is not needed.
openssl req -new -key keyfile.key -out certrequest.csr
So now you have created a cert request, you’ll need to copy past the file contents of the certrequest into it. It will look something like this. But with random characters.
-----BEGIN CERTIFICATE REQUEST----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE REQUEST-----
After you have copied the contents of the file you can self sign the cert. If you are self signing the cert, go ahead and use the following commands.
openssl x509 -req -days 365 -in certrequest.csr -signkey keyfile.key -out certfile.crt
Next you will need to copy the files to these epecific locations
cp certfile.crt /etc/pki/tls/certs/ cp keyfile.key /etc/pki/tls/private/ chmod go-rwx /etc/pki/tls/certs/certfile.crt chmod go-rwx /etc/pki/tls/private/keyfile.key
Once you have copied and chmod’ed the files. you will need to edit the Apache configuration file.
/etc/httpd/conf.d/ssl.conf
Look for these specifc lines in the config file. You will need to edit these lines to match the path where the crt and key files are.
SSLCertificateFile
SSLCertificateKeyFile
Finally, you will need to edit the httpd.conf file.
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
once done, you’ll need to add the firewall rules.
firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp --permanent
Once the rules have been added, go ahead and restart httpd.service.
By adding the following line into the httd.conf file, it will redirect the connection over port 443 or HTTPS.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}