Articles in this section

Self help
FAQ
["FAQ"]

Opsview - How to use self-signed SSL certificates with the Infrastructure Agent

Avatar
ITRS Support
  • Updated
Follow

This article describes how to use self-signed SSL certificates with the Infrastructure Agent.

If you are trying to use self-signed certificates with the Infrastructure Agent without making the necessary changes to the agent configuration file and the Web UI, you will see these errors:

  • CHECK_NRPE: Error - Certificate verification failed: Self-signed certificate in chain
  • SSL Handshake error ([SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129))

 

  1. Edit your agent configuration file (/opt/itrs/infrastructure-agent/cfg/custom/agent.yml) to have the following:
    • ca_cert: null
    • ca_path: null
    • check_client_cert: false
    • cert_file and key_file will need the path to your corresponding cert and key file.
server:  
  tls:
    ca_cert: null
    ca_path: null
    cert_file: '/opt/itrs/infrastructure-agent/var/path-to-cert-file'
    key_file: '/opt/itrs/infrastructure-agent/var/path-to-key-file'
    check_client_cert: false
    cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
    context_options:  
    - NO_SSLv3  
    - NO_TLSv1  
    - NO_TLSv1_1  
  tls_enabled: true  
  tls_handshake_timeout: 3

     

      2.  After making changes to your agent configuration file, you will need to restart the Infrastructure Agent.

systemctl restart infrastructure-agent

 

      3.  Since you are using self-signed certificates, you don't need to supply a CA certificate when the service check runs.  You will need to confirm that you don't have a value entered for the '-r' option (path to CA certificate) with the arguments used for the service check.   If you notice a CA path is being listed in your Variables under Host settings, you can uncheck the box and leave it blank.  If you make any changes, click the Submit Changes button and then run Apply Changes.

ssl-cert-servicecheck-001.png

     

Example command with '-r' option with no value.

check_nrpe -H 'labtest005' -c check_cpu_stats -C '/opt/itrs/infrastructure-agent/var/orchmainlab-server.crt' -k '/opt/itrs/infrastructure-agent/var/orchmainlab-server.key' -r '' -y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS:HIGH'

 

 You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.

 

If you have any further questions:

  • Please contact with our Client Services team via the chat service box available in any of our websites or via email to support@itrsgroup.com
    mceclip0.pngmceclip1.png

  • Make sure you provide to us:
    • ANY LOG FILE OR DIAGNOSTIC
    • ANY SCREENSHOT

Related articles

Comments

0 comments

Please sign in to leave a comment.