Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

This guide is not specific to Checkmk! It applies to web server configuration in general, and we provide this article for your convenience. We can not support you with general web server issues.

Problem

Numerous problems related to TLS encryption come down to a simple reason: The web server is configured improperly.
More specifically, many web servers (especially ones not facing the internet) lack the full certificate chain. They only serve their server certificate.

Reason

Technically, TLS encryption works with only the server certificate, but to verify the trust, you need the chain.
Modern browsers assemble the certificate chain themselves, which covers up the issue of a missing chain, but many CLI tools and programming languages expect the chain from the web server.

Solution

Background

There is some further reading on certificate chains, which we want to share in advance and encourage you to read and understand:

...

  • Your client (monitored system) will need to trust the root certificate of your CA (The internet is full of guides on how to achieve that for several operating systems).
  • Your web server has to serve the certificate chain (without the root certificate) in addition to the server certificate.

Preparations

Before moving on to the actual configuration, you need to acquire and prepare the necessary files:

...

Now, depending on your Checkmk infrastructure, choose the appropriate manual:

Checkmk Appliance

Panel
borderColorblack
bgColor#F8F8F8
  1. Log into the webconf

  2. Navigate to Device Settings > Web Access

  3. Choose Upload Certificate

  4. Now choose the appropriate files and click Upload

Note

For the certificate chain, you only need the intermediate certificate(s), without the root certificate



Linux Server

Panel
borderColorblack
bgColor#F8F8F8

The following steps depend on your specific Linux distribution:

  1. Log into the server as root
    .
  2. Navigate to "/etc/[apache2|httpd]/"
    .
  3. Locate your website configuration file. In a default installation this would be:
    • Debian derivates: /etc/apache2/sites-available/default-ssl.conf
    • RedHat derivates: /etc/httpd/conf.d/my-ssl.conf
      .
  4. In the configuration file, you will find the following directives:

    Code Block
    languagebash
    themeRDark
    SSLCertificateFile      /path/to/certificate.pem
    SSLCertificateKeyFile   /path/to/certificate.key
    SSLCertificateChainFile /path/to/chain.pem

    .

  5. Save the file and reload Apache2: "systemctl reload [apache2|httpd]"

Filter by label (Content by label)
showLabelsfalse
max5
spacesCON
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "activate_changes" , "howto" , "ssl" ) and type = "page" and space = "KB"
labelsactivate_changes

...