How to use self-signed SSL certificates with the Infrastructure Agent
This article describes how to use self-signed SSL certificates with the Infrastructure Agent on both ends Copied
If you are trying to use self-signed certificates with the Infrastructure Agent without making the necessary changes to the agent configuration file and the Web UI, you will see these errors:
CHECK_NRPE: Error - Certificate verification failed: Self-signed certificate in chainSSL Handshake error ([SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129))
1. ON THE MONITORED HOST: Edit your agent configuration file (/opt/itrs/infrastructure-agent/cfg/custom/agent.yml) to have the following:
-
-
ca_cert: null
-
ca_path: null
-
check_client_cert: false
-
cert_file and key_file will need the path to your corresponding cert and key file.
- The cert and key file should be created automatically for you by the Infrastructure Agent and will be located in /opt/itrs/infrastructure-agent/var/
-
Note: If you see the below error in your Windows logs, then you will either have to create a different directory OR delete the certs and restart the infra agent, this should then create new certs and the log should say creating self-signed certificates.
agent.ssl_helper.AgentSSLError: server: [Errno 2] No such file or directory: 'C:\\Program Files\\Infrastructure Agent\\var\\ejf-wintest-server.crt'
-
server:
tls:
ca_cert: null
ca_path: null
cert_file: '/opt/itrs/infrastructure-agent/var/name-of-cert-file'
key_file: '/opt/itrs/infrastructure-agent/var/name-of-key-file'
check_client_cert: false
cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
context_options:
- NO_SSLv3
- NO_TLSv1
- NO_TLSv1_1
tls_enabled: true
tls_handshake_timeout: 3
Note: You need to have check_client_cert: set to false and do not send the certificate from the client (omit the -C option) It’s much better to use real certificates and proper checks all around, but that’s not always practical or affordable. If you have it set to true then you will get an error like this:
UNKNOWN: SSL Error raised in Agent Client ([SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED]
tlsv13 alert certificate required (_ssl.c:2633))
If you are using self-signed certificates then you would not want to be checking the client certificates
**2**. After making changes to your agent configuration file, you will need to restart the Infrastructure Agent.
systemctl restart infrastructure-agent
**3**. Since you are using self-signed certificates, you don't need to supply a CA certificate when the service check runs. You will need to confirm that you don't have a value entered for the '-r' option (path to CA certificate) with the arguments used for the service check. These arguments will hold the path to where the certificates are located from the collector that is monitoring the host. If you notice a CA path is being listed in your Variables under Host settings, you can uncheck the box and leave it blank. If you make any changes, click the **Submit Changes** button and then run **Apply Changes**.
The Orchestrator/Collector will already have certs created and you can use the following value for the path of the certificate:
/opt/opsview/etc/ssl/local-client.pem
Example commands with ‘-r’ option with no value.
check_nrpe -H 'labtest005' -c check_cpu_stats -C '' -k
'/opt/opsview/etc/ssl/local-client.pem' -r ''
-y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS:HIGH'
check_nrpe -H '10.140.1.139' -c nsc_checkcpu -a 'warn=90 crit=95 time=10m time=1m
ShowAll=long' -C '' -k '/opt/opsview/etc/ssl/local-client.pem' -r ''
-y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:!MD5:!DSS'
You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.