...
| Status |
|---|
| colour | Green |
|---|
| title | LAST TESTED ON CHECKMK 2.03.0P1 |
|---|
|
| Panel |
|---|
| borderColor | black |
|---|
| bgColor | #f8f8f8 |
|---|
| title | Table of Contents |
|---|
|
|
...
| Warning |
|---|
This guide is not specific to Checkmk! It applies to web server configuration in general, and we provide this article for your convenience. We can not support you with general web server issues. |
Numerous problems related to TLS encryption come down to a simple reason: The web server is configured improperly.
More specifically, many web servers (especially ones not facing the internet) lack the full certificate chain. They only serve their server certificate.
Technically, TLS encryption works with only the server certificate, but to verify the trust, you need the chain.
Modern browsers assemble the certificate chain themselves, which covers up the issue of a missing chain, but many CLI tools and programming languages expect the chain from the web server.
Solution
Background
There is some further reading on certificate chains, which we want to share in advance and encourage you to read and understand:
...
- Your client (monitored system) will need to trust the root certificate of your CA (The internet is full of guides on how to achieve that for several operating systems).
- Your web server has to serve the certificate chain (without the root certificate) in addition to the server certificate.
Before moving on to the actual configuration, you need to acquire and prepare the necessary files:
...
Now, depending on your Checkmk infrastructure, choose the appropriate manual:
| Panel |
|---|
| borderColor | black |
|---|
| bgColor | #F8F8F8 |
|---|
|
- Log into the webconf
- Navigate to Device Settings > Web Access
- Choose Upload Certificate
- Now choose the appropriate files and click Upload
| Note |
|---|
For the certificate chain, you only need the intermediate certificate(s), without the root certificate |
|
| Panel |
|---|
| borderColor | black |
|---|
| bgColor | #F8F8F8 |
|---|
|
The following steps depend on your specific Linux distribution: - Log into the server as root
. - Navigate to "/etc/[apache2|httpd]/"
. - Locate your website configuration file. In a default installation this would be:
- Debian derivates: /etc/apache2/sites-available/default-ssl.conf
- RedHat derivates: /etc/httpd/conf.d/my-ssl.conf
.
In the configuration file, you will find the following directives: | Code Block |
|---|
| SSLCertificateFile /path/to/certificate.pem
SSLCertificateKeyFile /path/to/certificate.key
SSLCertificateChainFile /path/to/chain.pem |
. - Save the file and reload Apache2: "systemctl reload [apache2|httpd]"
|
Related articles
| Filter by label (Content by label) |
|---|
| showLabels | false |
|---|
| max | 5 |
|---|
| spaces | CON |
|---|
| showSpace | false |
|---|
| sort | modified |
|---|
| reverse | true |
|---|
| type | page |
|---|
| cql | label in ( "activate_changes" , "howto" , "ssl" ) and type = "page" and space = "KB" |
|---|
| labels | activate_changes |
|---|
|
...