Skip to main content
Solved

Centreon can't access https

Hi,

I am trying to configure https following the centreon guide (Secure your platform | Centreon Documentation), so far everything seems to work fine in the console at least. No error on httpd.

The problem is that i can’t access the website via my navigator, i get the error “xx.xx.xx.xx was too long to answer”. If i put back the old  10-centreon.conf everything works  fine (but http only).

Here a both version of the config file (it might be a stupid mistake but i can’t find it) :

Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Define base_uri "/centreon"
Define install_dir "/usr/share/centreon"

ServerTokens Prod

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
    #####################
    # SSL configuration #
    #####################
    SSLEngine On
    SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
    SSLHonorCipherOrder On
    SSLCompression Off
    SSLCertificateFile /etc/pki/tls/certs/centreon.crt
    SSLCertificateKeyFile /etc/pki/tls/private/centreon.key

    Alias ${base_uri}/api ${install_dir}
    Alias ${base_uri} ${install_dir}/www/

    <LocationMatch ^\${base_uri}/?(?!api/latest/|api/beta/|api/ve0-9]+/|api/v90-9]+\./0-9]+/)(.*\.php(/.*)?)$>
        ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/www/$1"
    </LocationMatch>

    <LocationMatch ^\${base_uri}/?(authentication|api/(latest|beta|ve0-9]+|v|0-9]+\.|0-9]+))/.*$>
        ProxyPassMatch "fcgi://127.0.0.1:9042${install_dir}/api/index.php/$1"
    </LocationMatch>

    ProxyTimeout 300
    ErrorDocument 404 ${base_uri}/index.html
    Options -Indexes +FollowSymLinks

    <IfModule mod_security2.c>
        # https://github.com/SpiderLabs/ModSecurity/issues/652
        SecRuleRemoveById 200003
    </IfModule>

    <Directory "${install_dir}/www">
        DirectoryIndex index.php
        AllowOverride none
        Require all granted
        FallbackResource ${base_uri}/index.html
    </Directory>

    <Directory "${install_dir}/api">
        AllowOverride none
        Require all granted
    </Directory>

    <If "'${base_uri}' != '/'">
        RedirectMatch ^/$ ${base_uri}
    </If>
</VirtualHost>
#
# Section added by Centreon Install Setup
#
Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Alias /centreon/api /usr/share/centreon
Alias /centreon /usr/share/centreon/www/

<LocationMatch ^/centreon/(?!api/latest/|api/beta/|api/ve0-9]+/|api/v90-9]+\./0-9]+/)(.*\.php(/.*)?)$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/www/$1
</LocationMatch>

<LocationMatch ^/centreon/(authentication|api/(latest|beta|ve0-9]+|v|0-9]+\.|0-9]+))/.*$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/api/index.php/$1
</LocationMatch>

ProxyTimeout 300

<Directory "/usr/share/centreon/www">
    DirectoryIndex index.php
    Options Indexes
    AllowOverride all
    Order allow,deny
    Allow from all
    Require all granted
    <IfModule mod_php5.c>
        php_admin_value engine Off
    </IfModule>

    FallbackResource /centreon/index.html

    AddType text/plain hbs
</Directory>

<Directory "/usr/share/centreon/api">
    Options Indexes
    AllowOverride all
    Order allow,deny
    Allow from all
    Require all granted
    <IfModule mod_php5.c>
        php_admin_value engine Off
    </IfModule>

    AddType text/plain hbs
</Directory>

RedirectMatch ^/$ /centreon

 

Thanks in advance ^^

 

Hello o/

When you restarted httpd, there is nothing in /var/log/httpd/error_log or /var/log/httpd24/error_log (or even in /var/log/messages) ?

firewalld and iptables are disabled ?

Regards,

Thanks.

The  /var/log/httpd/error_log was empty and I didn’t see any error in /var/log/messages.

I have some lines that I will need to look into in the /var/log/httpd24/error_log.

If there was a problem with either firewalld and iptables, why is it working in http only ?

 

 

iSun May 29 03:47:01.811462 2022] 2ssl:warn] lpid 4045] AH01906: centreon:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
?Sun May 29 03:47:01.811575 2022] 5http2:warn] 2pid 4045] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm$
mSun May 29 03:47:01.812094 2022] 4lbmethod_heartbeat:notice] npid 4045] AH02282: No slotmem from mod_heartmonitor
oSun May 29 03:47:01.812339 2022] 9mpm_prefork:notice] npid 4045] AH00163: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips configured -- resuming normal operations
nSun May 29 03:47:01.812345 2022] 5core:notice] npid 4045] AH00094: Command line: '/opt/rh/httpd24/root/usr/sbin/httpd -D FOREGROUND'
DMon May 30 10:55:01.178581 2022] 1mpm_prefork:notice] npid 4045] AH00170: caught SIGWINCH, shutting down gracefully
lMon May 30 10:55:19.386240 2022] 0core:notice] npid 1266] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
sMon May 30 10:55:19.393978 2022] 8ssl:warn] lpid 1266] AH01906: centreon:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
?Mon May 30 10:55:19.394454 2022] 4suexec:notice] npid 1266] AH01232: suEXEC mechanism enabled (wrapper: /opt/rh/httpd24/root/usr/sbin/suexec)
cMon May 30 10:55:19.402307 2022] 7:notice] npid 1266] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
dMon May 30 10:55:19.402321 2022] 1:notice] npid 1266] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
8Mon May 30 10:55:19.402324 2022] 4:notice] npid 1266] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
0Mon May 30 10:55:19.402329 2022] 9:notice] npid 1266] ModSecurity: LUA compiled version="Lua 5.1"
1Mon May 30 10:55:19.402330 2022] 0:notice] npid 1266] ModSecurity: YAJL compiled version="2.0.4"
4Mon May 30 10:55:19.402332 2022] 2:notice] npid 1266] ModSecurity: LIBXML compiled version="2.9.1"
1Mon May 30 10:55:19.402334 2022] 4:notice] npid 1266] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
nMon May 30 10:55:19.586143 2022] 3ssl:warn] lpid 1266] AH01906: centreon:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
?Mon May 30 10:55:19.586234 2022] 4http2:warn] 2pid 1266] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm$
mMon May 30 10:55:19.586646 2022] 6lbmethod_heartbeat:notice] npid 1266] AH02282: No slotmem from mod_heartmonitor
oMon May 30 10:55:19.591365 2022] 5mpm_prefork:notice] npid 1266] AH00163: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips configured -- resuming normal operations
nMon May 30 10:55:19.591393 2022] 3core:notice] npid 1266] AH00094: Command line: '/opt/rh/httpd24/root/usr/sbin/httpd -D FOREGROUND'

 

Great news i stop the firewalld service just to be sure… 

I now know what is the problem

 

 

The SSL configuration seems to be wrong:

[Sun May 29 03:47:01.811462 2022] [ssl:warn] [pid 4045] AH01906: centreon:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

You’re in 22.04 ?

Though i was 22.10 but im just blind im 21.1 xD

Also why is the https service not showing on the service list when i enabled it?

is there something else to add to allow https?

Sorry did not catch you.

With firewalld off it’s working ?

Yes with firewall of its working, 

upgrading to 22.04 seems to have resolved the issue x).

My bad I’m just stupid

No you’re not :)

I’m not an expert on firewalld sorry about that.

For some reason after the upgrade, the https is now showing in the service list.

I have no clue what was the issue appart from the config file may be !

Anyway thanks for your help !

Reply


Terms & ConditionsCookie settings