Opsview - How to use self-signed SSL certificates with the Infrastructure Agent

This article describes how to use self-signed SSL certificates with the Infrastructure Agent on both ends.

If you are trying to use self-signed certificates with the Infrastructure Agent without making the necessary changes to the agent configuration file and the Web UI, you will see these errors:

• CHECK_NRPE: Error - Certificate verification failed: Self-signed certificate in chain
• SSL Handshake error ([SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129))

      1.  ON THE MONITORED HOST:  Edit your agent configuration file (/opt/itrs/infrastructure-agent/cfg/custom/agent.yml) to have the following:

• • ca_cert: null
  • ca_path: null
  • check_client_cert: false
  • cert_file and key_file will need the path to your corresponding cert and key file.
    • The cert and key file should be created automatically for you by the Infrastructure Agent and will be located in /opt/itrs/infrastructure-agent/var/
      
  • Note: If you see the below error in your Windows logs, then you will either have to create a different directory OR delete the certs and restart the infra agent, this should then create new certs and the log should say creating self-signed certificates.
    

    agent.ssl_helper.AgentSSLError: server: [Errno 2] No such file or directory: 
    'C:\\Program Files\\Infrastructure Agent\\var\\ejf-wintest-server.crt'

server:  
  tls:
    ca_cert: null
    ca_path: null
    cert_file: '/opt/itrs/infrastructure-agent/var/name-of-cert-file'
    key_file: '/opt/itrs/infrastructure-agent/var/name-of-key-file'
    check_client_cert: false
    cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
    context_options:  
    - NO_SSLv3  
    - NO_TLSv1  
    - NO_TLSv1_1  
  tls_enabled: true  
  tls_handshake_timeout: 3

Note:   You need to have check_client_cert: set to false and do not send the certificate from the client (omit the -C option) It's much better to use real certificates and proper checks all around, but that's not always practical or affordable. If you have it set to true then you will get an error like this:

UNKNOWN: SSL Error raised in Agent Client ([SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] 
tlsv13 alert certificate required (_ssl.c:2633))

If you are using self-signed certificates then you would not want to be checking the client certificates

      2.  After making changes to your agent configuration file, you will need to restart the Infrastructure Agent.

systemctl restart infrastructure-agent

      3.  Since you are using self-signed certificates, you don't need to supply a CA certificate when the service check runs.  You will need to confirm that you don't have a value entered for the '-r' option (path to CA certificate) with the arguments used for the service check.   These arguments will hold the path to where the certificates are located from the collector that is monitoring the host.   If you notice a CA path is being listed in your Variables under Host settings, you can uncheck the box and leave it blank.  If you make any changes, click the Submit Changes button and then run Apply Changes.

The Orchestrator/Collector will already have certs created and you can use the following value for the path of the certificate: 

/opt/opsview/etc/ssl/local-client.pem

Examples command with '-r' option with no value.

check_nrpe -H 'labtest005' -c check_cpu_stats -C '' -k 
'/opt/opsview/etc/ssl/local-client.pem' -r '' 
-y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS:HIGH'

 check_nrpe -H '10.140.1.139' -c nsc_checkcpu -a 'warn=90 crit=95 time=10m time=1m 
ShowAll=long' -C '' -k '/opt/opsview/etc/ssl/local-client.pem' -r '' 
-y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS' 

 You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.

If you have any further questions:

• Please contact our Client Services team via the chat service box available on any of our websites or email to support@itrsgroup.com
  
  
  
• Make sure you provide to us:
  • ANY LOG FILE OR DIAGNOSTIC
  • ANY SCREENSHOT