Hello,
I have the exact same issue, but only while updating centreon from version 24.04.07 to 24.10.01.
When I try to create a new host (and only when I perform that operation), I have the following message :
My certificate is signed by a CA of my own (almost like described in that link) and my virtualhost looked like that :
# Section added by Centreon Install Setup
#
Define base_uri "/centreon"
Define install_dir "/usr/share/centreon"
ServerTokens Prod
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=Strict
ServerSignature Off
TraceEnable Off
<IfModule mod_ssl.c>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/monitoring.xxx.local.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxx.local.key
SSLCACertificateFile /etc/apache2/ssl/xxxCA.pem
</IfModule>
Alias ${base_uri}/api ${install_dir}
Alias ${base_uri} ${install_dir}/www/
<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
<LocationMatch ^\${base_uri}/?(?!api/latest/|api/beta/|api/v[0-9]+/|api/v[0-9]+\.[0-9]+/)(.*\.php(/.*)?)$>
ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/www/$1"
</LocationMatch>
<LocationMatch ^\${base_uri}/?(authentication|api/(latest|beta|v[0-9]+|v[0-9]+\.[0-9]+))/.*$>
ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/api/index.php/$1"
</LocationMatch>
ProxyTimeout 300
ErrorDocument 404 ${base_uri}/index.html
Options -Indexes +FollowSymLinks
<IfModule mod_security2.c>
# https://github.com/SpiderLabs/ModSecurity/issues/652
SecRuleRemoveById 200003
</IfModule>
<Directory "${install_dir}/www">
DirectoryIndex index.php
AllowOverride none
Require all granted
FallbackResource ${base_uri}/index.html
</Directory>
<Directory "${install_dir}/api">
AllowOverride none
Require all granted
</Directory>
<If "'${base_uri}' != '/'">
RedirectMatch ^/$ ${base_uri}
</If>
</VirtualHost>
So to add a new host I need to disable SSL on the Virtualhost and access to Centreon in plain text …
Do someone has a workaround ?
Thank you very much for your time.
Regards,
Thierry
I have the same issue. Any workaround?
I have the same issue.
Any solution ?
I have the same issue with the latest update 24.10.2
For information I have resolved this problem with add the certificate of the webserver Centreon in the CA Authority in RHEL, /etc/pki/tls/certs/ca-bundle.crt
I don’t know why but my certificate was in state “UNKNOWN: 500 Can't connect to (certificate verify failed)”, view with the command “curl -I https://websitecentreon”
I have the same issue with the latest update 24.10.2
@sibeasc : i add the information of the .crt in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem and restart cbd/centengine/centreon/gorgoned/httpd but no change...
I don’t have need to restart gorgoned service.
Dont’t you have the file ca-bundle.crt ?
no
/etc/pki/tls/certs/
total 12
lrwxrwxrwx. 1 root root 49 Jul 24 11:54 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jul 24 11:54 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 2423 Apr 4 2023 centreon.xxx.cer
-rw-r--r--. 1 root root 1424 Apr 4 2023 centreon.xxx.crt
Are you sure of the certificate add in this file is correct ?
i notice there is two different problem in this thread:
the original (same as me) :
SSL certificate problem: unable to get local issuer certificate for "https://centreon.XXX/centreon/api/latest/configuration/hosts".
the second problem from @thierry.lamoureux :
SSL certificate problem: self-signed certificate in certificate chain for "https://centreon.XXX/centreon/api/latest/configuration/hosts".
@sibeasc your solution work for the second problem but not my problem..
@SavCent have you refreshed your chain after the import something like
sudo cp your-ca-cert.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
you can also do a check from your host with a
curl https://centreon.XXX/centreon/ -vvv
@SavCent For me it has worked for problem “SSL certificate problem: unable to get local issuer certificate”.
we find the solution:
we cp the caentreprise.cer is containing the intermediate certificate of the chain in /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
and it’s ok
So the problem was missing the intermediate certificate.
I’m also facing the same issue, after some R&D I found below solution.
- Server IP = 192.168.36.2
Server Hostname = centreon.satish.com
- + DIR=/etc/centreon/certificate; [ -d $DIR ] && mv $DIR $DIR-old; mkdir -p $DIR || mkdir -p $DIR
- + vim /etc/pki/tls/openssl.cnf
# Add the alt_names tag that allows you to inform our various IPs and FQDNs for the server
[ alt_names ]
IP.1 = 192.168.36.2
DNS.1 = centreon.satish.com
# If you have several IP (HA: vip + ip)
# IP.2 = xxx.xxx.xxx.xxx
[ v3_ca ]
subjectAltName = @alt_names
- Generate New Certificate
+ openssl genrsa -out /etc/centreon/certificate/centreon.key 2048
+ chmod 400 /etc/centreon/certificate/centreon.key
+ export pass="centreon";openssl genrsa -aes256 -passout env:pass -out /etc/centreon/certificate/ca.key 2048
+ openssl req -new -x509 -days 10950 -key /etc/centreon/certificate/ca.key -out + /etc/centreon/certificate/ca.crt -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Satish PVT LTD/OU=IT/CN=192.168.36.2/emailAddress=it@satish.com" -passin pass:centreon
+ openssl x509 -req -in /etc/centreon/certificate/centreon.csr -out /etc/centreon/certificate/centreon.crt -CA /etc/centreon/certificate/ca.crt -CAkey /etc/centreon/certificate/ca.key -CAcreateserial -CAserial /etc/centreon/certificate/ca.srl -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -passin pass:centreon
+ openssl req -new -key /etc/centreon/certificate/centreon.key -out /etc/centreon/certificate/centreon.csr -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Satish PVT LTD/OU=IT/CN=192.168.36.2/emailAddress=it@satish.com"
- Update CA Trust
+ systemctl restart php-fpm httpd
+ rm -rf /etc/pki/ca-trust/source/anchors/centreon.pem
+ echo -n | openssl s_client -connect 192.168.36.2:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/centreon/certificate/centreon.pem
+ cp /etc/centreon/certificate/centreon.pem /etc/pki/ca-trust/source/anchors/
+ update-ca-trust
+ systemctl restart httpd php-fpm
Looks like a chain was extracted and added. Thank you @singh5816
Hello
I've been having the same problem since I migrated from 24.10 to OL8.10, but not with a self-signed certificate.
In fact, I purchased one from Gandi.
Is there a way to fix this without regenerating the certificate?
I had no problems with 23.04.
Best regards
Hello,
I'm still having the problem "SSL certificate problem: unable to get local issuer certificate for ...
I have the impression that my certificate is being processed by Apache but not by Centreon.
Is there a configuration file that indicates which certificate files are being used?
Or a log that would indicate which certificate is not being loaded?
Best regards
Hello
I don’t put SSL info within
<IfModule mod_ssl.c>
I have this kind of config with a certificate issued by an Active Directory DC.
<VirtualHost *:443>
ServerName centreon.domain.local
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/local.crt"
SSLCertificateKeyFile "/etc/ssl/private/local.key"
SSLCertificateChainFile "/etc/ssl/certs/CAOfTheDC.cer"
Pierre
hello
here is my http conf file :
#####################
# SSL configuration #
#####################
SSLProtocol all -TLSv1.2
SSLProtocol all +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
<Macro SSLEnable >
SSLEngine on
SSLCertificateFile "/etc/ca-certificates/XXXXXX.fr.crt"
SSLCertificateChainFile "/etc/ca-certificates/GandiStandardSSLCA2.pem"
SSLCACertificateFile "/etc/ca-certificates/GandiStandardSSLCA2.pem"
SSLCertificateKeyFile "/etc/ca-certificates/XXXXXXX.fr.key"
</Macro>
<VirtualHost *:443>
Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=Strict
ServerSignature Off
TraceEnable Off
servername YYYYYYYYY.XXXXXXX.fr
SSLCompression Off
Use SSLEnable
Alias ${base_uri}/api ${install_dir}
Alias ${base_uri} ${install_dir}/www/
<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
<LocationMatch ^\${base_uri}/?(?!api/latest/|api/beta/|api/v[0-9]+/|api/v[0-9]+\.[0-9]+/)(.*\.php(/.*)?)$>
ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/www/$1"
</LocationMatch>
<LocationMatch ^\${base_uri}/?(authentication|api/(latest|beta|v[0-9]+|v[0-9]+\.[0-9]+))/.*$>
ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/api/index.php/$1"
</LocationMatch>
ProxyTimeout 300
ErrorDocument 404 ${base_uri}/index.html
Options -Indexes +FollowSymLinks
<IfModule mod_security2.c>
# https://github.com/SpiderLabs/ModSecurity/issues/652
SecRuleRemoveById 200003
</IfModule>
<Directory "${install_dir}/www">
DirectoryIndex index.php
AllowOverride none
Require all granted
FallbackResource ${base_uri}/index.html
</Directory>
<Directory "${install_dir}/api">
AllowOverride none
Require all granted
</Directory>
<If "'${base_uri}' != '/'">
RedirectMatch ^/$ ${base_uri}
</If>
</VirtualHost>
I had no problem with centre 23.04 but now with 24.10, I need to asl my team to not connect in https because when we save config we lost it (for exemple input or output in broker conf).
Best regards
Hello I made a test to check certificte with testsslserver4.exe :
TestSSLServer4.exe ****************************
Connection: *******************************:443
SNI: *************************************
TLSv1.0:
server selection: enforce server preferences
3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_SEED_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLSv1.1: idem
TLSv1.2:
server selection: enforce server preferences
3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384
3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256
3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA384
3f- (key: RSA) ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA256
3f- (key: RSA) ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
3f- (key: RSA) ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
3f- (key: RSA) ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
3f- (key: RSA) ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_256_GCM_SHA384
3f- (key: RSA) DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_256_CCM_8
3f- (key: RSA) DHE_RSA_WITH_AES_256_CCM
3f- (key: RSA) DHE_RSA_WITH_ARIA_256_GCM_SHA384
3f- (key: RSA) DHE_RSA_WITH_AES_128_GCM_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_128_CCM_8
3f- (key: RSA) DHE_RSA_WITH_AES_128_CCM
3f- (key: RSA) DHE_RSA_WITH_ARIA_128_GCM_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_SEED_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
=========================================
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=2
names match: no
includes root: no
signature hash(es): SHA-256 SHA-384
+ certificate order: 0
thumprint: ************************************
serial: *****************************
subject: CN=fsyprodcentcentral.syleps.fr
issuer: CN=GandiCert,O=Gandi SAS,C=FR
valid from: 2025-03-13 00:00:00 UTC
valid to: 2026-02-28 23:59:59 UTC
key type: RSA
key size: 4096
sign hash: SHA-256
server names:
***************************
+ certificate order: 1
thumprint: ****************************************
serial: **********************************
subject: CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR
issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
valid from: 2014-09-12 00:00:00 UTC
valid to: 2024-09-11 23:59:59 UTC
key type: RSA
key size: 2048
sign hash: SHA-384
=========================================
Server compression support: no
Server sends a random system time.
Secure renegotiation support: yes
Encrypt-then-MAC support (RFC 7366): yes
SSLv2 ClientHello format (for SSLv3+): yes
Minimum DH size: 4096
DH parameter reuse: no
Minimum EC size (with extension): 252
Server does not use EC without the client extension
ECDH parameter reuse: no
Supported curves (size and name) ('*' = selected by server):
256 secp256r1 (P-256)
384 secp384r1 (P-384)
521 secp521r1 (P-521)
252 ecdh_x25519
446 ecdh_x448
=========================================
No warning.
there is no error, no warning but I still have the problem
I have no problem to access centreon, my problem is only when validating changes : I loose all data from the page I leave, for exemple in broker management page all the input or output parameters.
Thanks in advance for any help
Centreon 24.10.7 on Oracle Linux 8.10
yes two years ago when installing 23.04
23.04 was working perfectly but since I change to 24.10 I can’t do with https.
Is there a log where I can find the error ?
Best regards
@S.lhotellier confirm you have the https config in
/etc/httpd/conf.d/10-centreon.conf
Yes my config is in /etc/httpd/conf.d/10-centreon.conf
