This article describes how to use self-signed SSL certificates with the Infrastructure Agent.
If you are trying to use self-signed certificates with the Infrastructure Agent without making the necessary changes to the agent configuration file and the Web UI, you will see these errors:
CHECK_NRPE: Error - Certificate verification failed: Self-signed certificate in chain
SSL Handshake error ([SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129))
- Edit your agent configuration file (/opt/itrs/infrastructure-agent/cfg/custom/agent.yml) to have the following:
- ca_cert: null
- ca_path: null
- check_client_cert: false
- cert_file and key_file will need the path to your corresponding cert and key file.
server:
tls:
ca_cert: null
ca_path: null
cert_file: '/opt/itrs/infrastructure-agent/var/path-to-cert-file'
key_file: '/opt/itrs/infrastructure-agent/var/path-to-key-file'
check_client_cert: false
cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
context_options:
- NO_SSLv3
- NO_TLSv1
- NO_TLSv1_1
tls_enabled: true
tls_handshake_timeout: 3
2. After making changes to your agent configuration file, you will need to restart the Infrastructure Agent.
systemctl restart infrastructure-agent
3. Since you are using self-signed certificates, you don't need to supply a CA certificate when the service check runs. You will need to confirm that you don't have a value entered for the '-r' option (path to CA certificate) with the arguments used for the service check. If you notice a CA path is being listed in your Variables under Host settings, you can uncheck the box and leave it blank. If you make any changes, click the Submit Changes button and then run Apply Changes.
Example command with '-r' option with no value.
check_nrpe -H 'labtest005' -c check_cpu_stats -C '/opt/itrs/infrastructure-agent/var/orchmainlab-server.crt' -k '/opt/itrs/infrastructure-agent/var/orchmainlab-server.key' -r '' -y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS:HIGH'
You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.
If you have any further questions:
- Please contact with our Client Services team via the chat service box available in any of our websites or via email to support@itrsgroup.com
- Make sure you provide to us:
- ANY LOG FILE OR DIAGNOSTIC
- ANY SCREENSHOT
Comments
0 comments
Please sign in to leave a comment.