Hi,
I’m just getting started with check-mk, and so far it looks great. I’d like to configure apache to use SSL for the site, and would like to to use Let’s Encrypt to do so.
Do you have any documentation on how to do this? I’m using ubuntu server 16.04.1, and Check-mk 1.2.8p11
Thank you,
Marc
Hey Marc
I would say that this is out-of-scope for check_mk or even OMD. There are many
other great docs for this. Just give it a try to give the vhost(s) on your
Apache a nice cert 
- --
Live long and prosper
Robin `ypid` Schneider -- https://ypid.de/
On 06.10.2016 23:05, Marc Bruell wrote:
Hi,
I'm just getting started with check-mk, and so far it looks great. I'd
like to configure apache to use SSL for the site, and would like to to use
Let's Encrypt to do so.Do you have any documentation on how to do this? I'm using ubuntu server
16.04.1, and Check-mk 1.2.8p11Thank you,
Marc
Hi Marc,
I am using check-mk 1.2.8p11 on lts 16.04.1 with Let's Encrypt. I followed this instructions: Certbot it works for me.
Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitename
Julian
On 06.10.2016 23:05, Marc Bruell wrote:
Hi,
I'm just getting started with check-mk, and so far it looks great. I'd like to configure apache to use SSL for the site, and would like to to use Let's Encrypt to do so.
Do you have any documentation on how to do this? I'm using ubuntu server 16.04.1, and Check-mk 1.2.8p11
Thank you,
Marc
_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
Not really all that helpful to you, but we did the same sort of thing with Nginx. We’ve got a sort of corp standard to use Nginx as a general purpose web server/proxy, so use that as the ‘main’ web server, which proxies to the OMD-specific one that checkmk runs with. It was pretty easy to set it up to terminate the SSL and proxy on unencrypted to checkmk. I can post config chunks if of any interest.
…Ralph
On Thu, Oct 6, 2016 at 10:16 PM, JJX ubuntu@speluncula.de wrote:
Hi,
I’m just getting started with check-mk, and so far it looks great. I’d like to configure apache to use SSL for the site, and would like to to use Let’s Encrypt to do so.
Do you have any documentation on how to do this? I’m using ubuntu server 16.04.1, and Check-mk 1.2.8p11
Thank you,
Marc
checkmk-en mailing list
checkmk-en mailing list
Hi Marc,
I am using check-mk 1.2.8p11 on lts 16.04.1 with Let’s Encrypt. I followed this instructions: https://certbot.eff.org/#ubuntuxenial-apache it works for me.
Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitename
Julian
On 06.10.2016 23:05, Marc Bruell wrote:
–
Ralph Bolton
Systems Administrator
** Calltracks
Ltd**
Email: ralph.bolton@calltracks.com
Web: [www.calltracks.com](http://www.calltracks.com/)
Tel: +44 20 3199 9000
Fax: +44 20 3199 9009
High
availability
call monitoring, tracking and NTS services. The opinions
expressed are those of
the individual and not the company. Internet communications
are not secure and
therefore Calltracks Ltd (“the company”) does not accept
liability
for any claims arising as a result of the use of this medium
for transmissions
by or to the company. This email and any files transmitted
with it are
confidential. If you are not the intended recipient, you are
hereby notified
that any disclosure, distribution or copying of this
communication is strictly
prohibited. Whilst we take every reasonable precaution to
screen out computer
viruses from emails, attachments to the email may contain such
viruses. We
cannot accept liability for loss or damage resulting from such
viruses.
Calltracks Ltd is registered in England and Wales 6539973
at Unit
15, 3rd Floor, 23-28 Penn Street, London, N1 5DL
Thanks - I found these instructions shortly after posting, but am not sure which sites-available conf file I need to edit.
Thanks,
Marc
I used the default install of OMD, and that didn’t create an additional entry in /etc/apache2/sites-available. Do I need to run omd configure - and change from Basic to WebGUI? I found this file: /omd/sites/mysitename/etc/apache/apache.conf, which uses “own” as the setting in WebGUI, and uses the loopback address (and mod_proxy).
On Thu, Oct 6, 2016 at 3:16 PM, JJX ubuntu@speluncula.de wrote:
Hi,
I’m just getting started with check-mk, and so far it looks great. I’d like to configure apache to use SSL for the site, and would like to to use Let’s Encrypt to do so.
Do you have any documentation on how to do this? I’m using ubuntu server 16.04.1, and Check-mk 1.2.8p11
Thank you,
Marc
checkmk-en mailing list
checkmk-en mailing list
Hi Marc,
I am using check-mk 1.2.8p11 on lts 16.04.1 with Let’s Encrypt. I followed this instructions: https://certbot.eff.org/#ubuntuxenial-apache it works for me.
Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitename
Julian
On 06.10.2016 23:05, Marc Bruell wrote:
Hi Julian,
You wrote:
In my install, there’s only the default apache sites-available entries. Installing omd and check_mk didn’t create any additional entries there, nor did it modify the defaults. The apache config that’s referenced when I grep running processes for apache is:
/omd/sites/mysite/etc/apache/apache.conf
ServerName is specified as: 127.0.0.1
and example.com is commented out (otherwise I’d try editing that to reflect my server name, and uncommenting it).
I tried to run the letsencrypt installer anyway, hoping it would find what it needed, but it failed.
Did you create another entry in sites-availble, or did you modify the default install, so that one got created there, or did you do something else entirely?
Thanks,
Marc
PS: I plan to run this internally, but we have found that let’s encrypt didn’t work unless the server was available in our dmz, so we typically put them there for the let’s encrypt install, and then move them back to our internal zone once they’ve been verified.
On Fri, Oct 7, 2016 at 7:58 AM, Marc Bruell mbruell@rfschools.com wrote:
Thanks - I found these instructions shortly after posting, but am not sure which sites-available conf file I need to edit.
Thanks,
Marc
I used the default install of OMD, and that didn’t create an additional entry in /etc/apache2/sites-available. Do I need to run omd configure - and change from Basic to WebGUI? I found this file: /omd/sites/mysitename/etc/apache/apache.conf, which uses “own” as the setting in WebGUI, and uses the loopback address (and mod_proxy).
On Thu, Oct 6, 2016 at 3:16 PM, JJX ubuntu@speluncula.de wrote:
Hi,
I’m just getting started with check-mk, and so far it looks great. I’d like to configure apache to use SSL for the site, and would like to to use Let’s Encrypt to do so.
Do you have any documentation on how to do this? I’m using ubuntu server 16.04.1, and Check-mk 1.2.8p11
Thank you,
Marc
checkmk-en mailing list
checkmk-en mailing list
Hi Marc,
I am using check-mk 1.2.8p11 on lts 16.04.1 with Let’s Encrypt. I followed this instructions: https://certbot.eff.org/#ubuntuxenial-apache it works for me.
Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitename
Julian
On 06.10.2016 23:05, Marc Bruell wrote:
Hi Marc,
I edited the /etc/apache2/sites-available/000-default.conf
ServerName monitoring.mydomain.tld
ServerAlias monitoring.myotherdomain.tld monitoring.anotherone.tld
To check which site is active and where to find it do a ls -l in /etc/apache2/sites-enabled e.g.
lrwxrwxrwx 1 root root 35 Okt 1 16:40 000-default.conf -> ../sites-available/000-default.conf
That is all I did, hope that helps.
Julian
On 13.10.2016 16:58, Marc Bruell wrote:
Hi Julian,
You wrote:
Before requesting the cert, set server-name and server-alias in
/etc/apache/sites-available/yoursitenameIn my install, there's only the default apache sites-available entries. Installing omd and check_mk didn't create any additional entries there, nor did it modify the defaults. The apache config that's referenced when I grep running processes for apache is:
/omd/sites/mysite/etc/apache/apache.conf
ServerName is specified as: 127.0.0.1
and example.com <http://example.com> is commented out (otherwise I'd try editing that to reflect my server name, and uncommenting it).I tried to run the letsencrypt installer anyway, hoping it would find what it needed, but it failed.
Did you create another entry in sites-availble, or did you modify the default install, so that one got created there, or did you do something else entirely?
Thanks,
Marc
PS: I plan to run this internally, but we have found that let's encrypt didn't work unless the server was available in our dmz, so we typically put them there for the let's encrypt install, and then move them back to our internal zone once they've been verified.
On Fri, Oct 7, 2016 at 7:58 AM, Marc Bruell <mbruell@rfschools.com > <mailto:mbruell@rfschools.com>> wrote:
Thanks - I found these instructions shortly after posting, but am
not sure which sites-available conf file I need to edit.I used the default install of OMD, and that didn't create an
additional entry in /etc/apache2/sites-available. Do I need to run
omd configure - and change from Basic to WebGUI? I found this
file: /omd/sites/mysitename/etc/apache/apache.conf, which uses
"own" as the setting in WebGUI, and uses the loopback address (and
mod_proxy).Thanks,
Marc
On Thu, Oct 6, 2016 at 3:16 PM, JJX <ubuntu@speluncula.de > <mailto:ubuntu@speluncula.de>> wrote:
Hi Marc,
I am using check-mk 1.2.8p11 on lts 16.04.1 with Let's
Encrypt. I followed this instructions:
Certbot
<Certbot; it works for me.
Before requesting the cert, set server-name and server-alias
in /etc/apache/sites-available/yoursitenameJulian
On 06.10.2016 23:05, Marc Bruell wrote:
Hi,
I'm just getting started with check-mk, and so far it
looks great. I'd like to configure apache to use SSL for
the site, and would like to to use Let's Encrypt to do so.Do you have any documentation on how to do this? I'm using
ubuntu server 16.04.1, and Check-mk 1.2.8p11Thank you,
Marc
_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
<mailto:checkmk-en@lists.mathias-kettner.de>
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
<http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en>_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
<mailto:checkmk-en@lists.mathias-kettner.de>
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
<http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en>
RE: using nginx instead of Apache for ‘central’ web server on the box
We use nginx as something of a company standard, so I didn’t want my Checkmk server to use Apache as the ‘general purpose’ web server (port 80/443) that just proxies back to the Checkmk built-in server (which runs Python and whatnot else).
The first step is to stop and disable the apache web server that (I think) OMD installs for you. That frees up port 80/443 ready for nginx. Next up configure nginx - I got this going by getting a ‘hello world’ static HTML web page to work first, and then finally to put in the proxy back to CheckMK. We may have some site-specific config in here, but it’s essentially a pretty stock nginx SSL site (with a redirect from http to https) - the only ‘funky’ thing is the proxy to the CheckMK apache. Our configs are below - hope they help someone out!
Cheers,
…Ralph
server {
listen 80;
location /checkmk {
return 301 [https://ourcheckmkserver.com/$request_uri](https://ourcheckmkserver.com/%24request_uri);
}
}
server {
listen 443 ssl;
ssl_certificate tls/ourcert.chained.crt;
ssl_certificate_key tls/ourcert.key;
ssl_dhparam tls/dhparam.pem;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”;
location /checkmk {
sendfile off;
proxy_pass [http://127.0.0.1:5000](http://127.0.0.1:5000);
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Pragma "no-cache";
proxy_max_temp_file_size 0;
#this is the maximum upload size
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
proxy_redirect http:// https://;
}
}
On Thu, Oct 13, 2016 at 4:20 PM, JJX ubuntu@speluncula.de wrote:
Hi Julian,
You wrote:
Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitenameIn my install, there’s only the default apache sites-available entries. Installing omd and check_mk didn’t create any additional entries there, nor did it modify the defaults. The apache config that’s referenced when I grep running processes for apache is:
/omd/sites/mysite/etc/apache/apache.conf
ServerName is specified as: 127.0.0.1
and example.com <http://example.com> is commented out (otherwise I’d try editing that to reflect my server name, and uncommenting it).
I tried to run the letsencrypt installer anyway, hoping it would find what it needed, but it failed.
Did you create another entry in sites-availble, or did you modify the default install, so that one got created there, or did you do something else entirely?
Thanks,
Marc
PS: I plan to run this internally, but we have found that let’s encrypt didn’t work unless the server was available in our dmz, so we typically put them there for the let’s encrypt install, and then move them back to our internal zone once they’ve been verified.
On Fri, Oct 7, 2016 at 7:58 AM, Marc Bruell <mbruell@rfschools.com mailto:mbruell@rfschools.com> wrote:
Thanks - I found these instructions shortly after posting, but am not sure which sites-available conf file I need to edit. I used the default install of OMD, and that didn't create an additional entry in /etc/apache2/sites-available. Do I need to run omd configure - and change from Basic to WebGUI? I found this file: /omd/sites/mysitename/etc/apache/apache.conf, which uses "own" as the setting in WebGUI, and uses the loopback address (and mod_proxy). Thanks, Marc On Thu, Oct 6, 2016 at 3:16 PM, JJX <ubuntu@speluncula.de <mailto:ubuntu@speluncula.de>> wrote: Hi Marc, I am using check-mk 1.2.8p11 on lts 16.04.1 with Let's Encrypt. I followed this instructions: [https://certbot.eff.org/#ubuntuxenial-apache](https://certbot.eff.org/#ubuntuxenial-apache) <[https://certbot.eff.org/#ubuntuxenial-apache](https://certbot.eff.org/#ubuntuxenial-apache)> it works for me. Before requesting the cert, set server-name and server-alias in /etc/apache/sites-available/yoursitename Julian On 06.10.2016 23:05, Marc Bruell wrote: Hi, I'm just getting started with check-mk, and so far it looks great. I'd like to configure apache to use SSL for the site, and would like to to use Let's Encrypt to do so. Do you have any documentation on how to do this? I'm using ubuntu server 16.04.1, and Check-mk 1.2.8p11 Thank you, Marc _______________________________________________ checkmk-en mailing list checkmk-en@lists.mathias-kettner.de <mailto:checkmk-en@lists.mathias-kettner.de> [http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en) <[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)> _______________________________________________ checkmk-en mailing list checkmk-en@lists.mathias-kettner.de <mailto:checkmk-en@lists.mathias-kettner.de> [http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en) <[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)>
checkmk-en mailing list
Hi Marc,
I edited the /etc/apache2/sites-available/000-default.conf
ServerName monitoring.mydomain.tld ServerAlias monitoring.myotherdomain.tld monitoring.anotherone.tldTo check which site is active and where to find it do a ls -l in /etc/apache2/sites-enabled e.g.
lrwxrwxrwx 1 root root 35 Okt 1 16:40 000-default.conf -> ../sites-available/000-default.confThat is all I did, hope that helps.
Julian
On 13.10.2016 16:58, Marc Bruell wrote:
–
Ralph Bolton
Systems Administrator
** Calltracks
Ltd**
Email: ralph.bolton@calltracks.com
Web: [www.calltracks.com](http://www.calltracks.com/)
Tel: +44 20 3199 9000
Fax: +44 20 3199 9009
High
availability
call monitoring, tracking and NTS services. The opinions
expressed are those of
the individual and not the company. Internet communications
are not secure and
therefore Calltracks Ltd (“the company”) does not accept
liability
for any claims arising as a result of the use of this medium
for transmissions
by or to the company. This email and any files transmitted
with it are
confidential. If you are not the intended recipient, you are
hereby notified
that any disclosure, distribution or copying of this
communication is strictly
prohibited. Whilst we take every reasonable precaution to
screen out computer
viruses from emails, attachments to the email may contain such
viruses. We
cannot accept liability for loss or damage resulting from such
viruses.
Calltracks Ltd is registered in England and Wales 6539973
at Unit
15, 3rd Floor, 23-28 Penn Street, London, N1 5DL