Unable to add new certificate CA into Nagios xi

hbouma · Post by **hbouma** » Fri Jul 16, 2021 8:39 am

I am attempting to follow the instructions in https://assets.nagios.com/downloads/nag ... ponent.pdf for Nagios xi, however, when I copy the certificate information from der format, and attempt to import it into Nagios, it tells me that "This certificate has already been added"

I know that the certificate is not yet present as none of the existing certs have the same end date, but there are several CA's already in Nagios as it communicates to various LDAP environments and products.

How can I force Nagios to import this new CA to trust if for the check_LDAP checks?

gsmith · Post by **gsmith** » Fri Jul 16, 2021 11:29 am

Hi,

Please don't use the der format - from https://assets.nagios.com/downloads/nag ... ponent.pdf :

page 4:

Image6.jpg

page 6:

Image7.jpg

Please let us know how that works for you.

Thanks

hbouma · Post by **hbouma** » Fri Jul 16, 2021 12:13 pm

Sorry, it was Base-64, not DER.

It is readable in Notepad and starts and ends with the expected lines. However, Nagios xi will not accept the value.

I have done this from a command line in the past as Nagios was unhappy with these values before we upgraded the CA in these LDAP environments. However, I cannot find my documentation on what was done.

gsmith · Post by **gsmith** » Fri Jul 16, 2021 12:26 pm

Hey,

What OS is that Nagios xi server running on?

Thx

hbouma · Post by **hbouma** » Fri Jul 16, 2021 12:30 pm

This is running a VM of RHEL 7.9, 64bit.

gsmith · Post by **gsmith** » Fri Jul 16, 2021 2:35 pm

Hi,

Here's what I have from my notes, if something doesn't work
try one of the alternatives that is surrounded by single *, the items surrounded by *** are
extra information:

For when you want a client to trust a server's self-signed cert

on the client:
openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
note - in the above the server name (or IP address) is required in two places - look for the word server

type "quit", followed by the "ENTER" key

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

*** If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata. ***

*** If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone with the
curl command line tool: --cacert [file] ***

to add to CA certificate store:
openssl x509 -outform der -in cacert.pem -out cacert.crt

sudo cp cacer.crt file to /etc/pki/ca-trust/source/anchors -- this location for CentOS machine
* sudo cp cacert.crt /usr/local/share/ca-certificates -- this location for Ubuntu 16 *

sudo update-ca-trust extract (Centos8)
* sudo update-ca-certificates (others distro versions) *
* sudo dpkg-reconfigure ca-certificates (Ubuntu 16) *

Let me know if that works for you

Thanks

hbouma · Post by **hbouma** » Fri Jul 16, 2021 2:45 pm

I added the certs using the method listed below.

It doesn't show them in the GUI, so I am not 100% sure if Nagios will trust them until we go live with the new CA on 7/29. I will let you know once we know.

gsmith · Post by **gsmith** » Fri Jul 16, 2021 5:11 pm

Hi,

I was doing some research and I haven't seen a way to "pre-load" a server's
future cert on a client.

The one thought I had was you could fire up a test server and verify it trusts one of
the LDAP machines. Then change the date on the test server to 07/30 and see what happens.
I am betting you would need to import the "new" cert from the server.

Not sure you're aware because some people miss this but you are entitled to use your
license on 3 machines. Here's the info:

Nagios xi License Policy
With every purchase we offer 3 separate activation of xi licenses. One for production, one for testing, and one for high availability. We always recommend upgrading on a test server first before making changes to the production server.

Nagios License Entitlements
https://support.nagios.com/kb/article.php?id=145

If it was me I would like to know before 29 July

Thanks

hbouma · Post by **hbouma** » Mon Jul 19, 2021 7:10 am

Thank you. We do have a TST server setup and in use.

However, we cannot perform the import of the new CA until maintenance on the 29th, there is no LDAP server using the new CA at this time for testing.

gsmith · Post by **gsmith** » Mon Jul 19, 2021 9:22 am

OK. I will leave this open until I hear back from you in the future.

Thanks

Nagios Support Forum

Unable to add new certificate CA into Nagios xi

Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi

Re: Unable to add new certificate CA into Nagios xi