Skip to main content

Hi all ! i’m trying to secure centreon plateform in https with the official documentation, all is working, apache it’s fine, my files are correctly configured, but i got a unexpected error with my Certificat into my Browser (Chrome/ Mozilla is same) , that return me that: 

i’m sure to do the good instruction when i created my CSR. I used an local Autority Certificate in my domain (ADCS) that give me a good certificat (.cer / .pem) . 

So i’m totaly done :( 

 

Didi you have any solution or idea?

Hello ​@tsuko ,

Did you import the CA that you used to create the self-signed certificate? You also need to use one of the FQDNs included in the certificate to connect to the web interface.

Regards

hi ​@cg-tw ! i didn’t create a self-signed certificate! my Centreon is in the same domain with my ADCS

I’ve just create a CSR for my ADCS who give me a good .cer for my debian centreon vm and i’ve import my centreon.cert + CAroot.cert in the correct folder ( etc/ssl/certs ) and added my centreon.key in etc/ssl/private . And i’ve specified in my website apache.conf the good location to found the certificat but when i try to connect it in chrome/mozilla that give me this error of certificat :(

Hello ​@tsuko 

If you accept for now under an incognito/private window

Do you see something like this? (the top CA cert and te signed one provided?)

Does the address match the DNS name or IP? Also, any errors under /var/log/apache/error_log? (or similar under your debian)

 

🤔🤞

hi ​@ponchoh  i doesnt seen something like u : “Certificate Subject Alternatie Name” 

but in “ etc/ssl/openssl.conf “ i wrote correctly the good information like this: 

 i alt_names ]
IP.1 = 10.x.x.x
DNS.1 = srv-centreon.xxxx.lan

DNS.2 = srv-centreon

o v3_ca ]
subjectAltName = @alt_names

 

But that doesnt appear in my certificat ...so my apache.conf don’t look inside this configfile to take this informations?

@tsuko , the “/etc/ssl/openssl.conf” changes can be done through there or directly on the request. But in this case is not a concern to you as you are using a different flow for a self-signed certificate, one through your ADCS.

I was able to find these posts:

https://www.winsysadminblog.com/2017/05/how-to-allow-an-active-directory-certificate-authority-to-generate-certificates-with-a-subject-alternative-name-attribute/

https://serverfault.com/questions/476413/subject-alternative-name-not-added-to-certificate#527366

I am not an expert at ADCS but you do require an alt name to not see the error.

https://stackoverflow.com/questions/43665243/invalid-self-signed-ssl-cert-subject-alternative-name-missing

🤔🤞

 

 

HI ​@ponchoh  i’ve resolved my problem with a new config file created when i apply a insert SAN directive. But i’m meet a new probleme now i can’t add a new host or autodiscoevery doesnt work xD ...What wrong with that? did Gorgoned need to get the config file original? i absolulty don’t know! i will search more and give u a feedback quickly!

HI ​@ponchoh i encounter this following problem now :

The HTTPS website is working, but when i try to use discovery job or just add a new hosts that appear : 

i dont know why !!!..i’ve do a good directive:

i had create a new config (srv-centreon.config) into i add a requiert SAN  to create my CSR for my Own CA Domain (ADCS). After my CA had signed and returned a valid Certificat (certnew.cer + certnew.p7b) and the CA.cer .  I’ve cpy them into my certs files (just changed the ext* : cer=>pem ) 

 So where is this ”local issuer certificate” that they requiert…?? 

@tsuko from your central a couple of things (update the URL with yours)

Can you do curl to your url

curl https://FQDN/centreon/ -vvv

 

and https://docs.centreon.com/docs/administration/secure-platform/#activating-https-mode-on-your-web-server step 9

 

  1. Gorgone API configuration

Replace 127.0.0.1 with the FQDN of your central server in the /etc/centreon-gorgone/config.d/31-centreon-api.yaml file:

gorgone:
  tpapi:
    - name: centreonv2
      base_url: "http://centreon7.localdomain/centreon/api/latest/"
      username: "centreon-gorgone"
      password: "bpltc4aY"
    - name: clapi
      username: "centreon-gorgone"
      password: "bpltc4aY"

Hi ​@ponchoh  ! 

That it’s the result in my gorgone.log .

I’ve changed my “centreon-gorgone passwd“ and in the “31-centreon-api.yaml file” but that  doesn’t change anything .

 

And that is the result of : curl cmd :

 

Hello ​@tsuko 

 

From here we can see that the CA certificate is not properly installed. I think you have a xxxRootCA.crt

sudo cp xxxxRootCA.crt /etc/pki/ca-trust/source/anchors/

sudo update-ca-trust extract

 

once you have properly imported the CA for your cert your should not see this curl issue and we can continue

hi ​@ponchoh  i’m in DB12 vm so i’vent this directory. My Certificate are in /etc/ssl/certs/

My directory /etc/ssl/ contain 2 folders like this : Private + Certs

within i cp my private key into “private folder” and my “srv-centreon.cer + xxx-RootCA.cer “ in the “Certs” folder

(i’ve changed the .cer to .pem of my srv-centreon.cer but not for my CA did it’s my fault?)

This is my srv-centreon.pem certificate delevery by my own RootCA (in /certs/)
This is my RootCA autority certificate (in /certs/ who signed my csr from centreon server
This is my private key into folder /etc/ssl/private

 

Hello for Debian

copy your 

to xxxx-RootCA.crt then copy it and then update

sudo cp xxxRootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

If your cert is DER encoded then

openssl x509 -inform DER -in xxxx-RootCA.cer -out xxxx-RootCA.crt
sudo cp xxxx-RootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

I am not an expert at MS certs, so there might be more to it. 

hi ​@ponchoh that look like to work ! thanks u very much it’s my fault...i didn’t expect just an files extension will make this error 😞 sorry i need to learn more about certificats SSL in debian environnement !

hey no worries! happy to help!

 

🎉💃🎊🥳

Reply


Terms & ConditionsCookie settings