i am new to certificates so i need help to secure my check_mk page with ssl with a wildcard certificate.
i’m not that familiar with linux so i need some more detailed instructions on how to integrate my wildcard certificate with our domain behind it into my CentOS Check_mk VM so that the httpd service is secured and can be accessed via 443.
sorry if the topic has been treated generously already, i didn’t get much further with any contributions i found on the topic.
yes there are many contributions to this topic but almost all of them are about self sign certificates. Of course there is the redirect contribution which works without problems. But this does not help me without the SSL certification
thanks for the link, but it’s not about getting a certificate, it’s about implementing my existing certificate with the appropriate domain extension into my Check_mk page.
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L]
SSLCertificateFile /path to your certificate.pem
SSLCertificateKeyFile /path to your private key.pem
the rewrite cond and rule are of no real use inside the vhost definition of the SSL port.
@Fabio12 you can google on how to set up ssl for your distribution, that’s not really related to checkmk. The config louis posted is not all you need to do for a fresh install. You need to activate the ssl port in general as well, which is done in files depending on your distribution.
Listen 433
should go in your /etc/httpd/Listen.conf as well.
This was taken directly from my configuration and it works. And I’ll admit, I’m no apache expert, so I may have to check my config as well and put the rewrite rules somewhere else.
But with the added Listen directive it should work. And I guess that you then indeed can leave out the rewrite rules as @joker suggests.
The rewrite can go to the non-ssl aka port 80 vhost config. It is used to redirect any request to the ssl port 443.
Make sure your checkmk is configured completely for this to work. If you have the agent bakery active, take a look that this works… it needs additional configuration to work over ssl.
I was not yet able to get the bakery to work over ssl… Therefore I added the following line to my vhost definition:
This does not forward any request to ssl but just the domain ($ means end-of-line). It does not interfere with the agent update calls. when I enter the name of my monitor host, I am nevertheless redirectet to the secure login page.
Please note, that this is not the best solution security wise… checkmk moght still be called unencrypted.
That shouldn’t make a big difference. One thing to keep in mind: with self-signed certs, you have the cert+key and that’s it. With a proper cert from some trusted CA, you again have cert+key, but the cert is usually issued by the CA from some intermediate cert. Only that CA intermediate cert is then issued from the CA’s trusted root cert . So to make browsers happy (cert chain connected to some trusted root cert), your server should offer both your server cert AND the CA’s intermediate cert.
(You can use Qualys SSL Labs Server Test to check for a valid certificate chain – besides lots of other aspects of your SSL/TLS installation as well)
On Linux, openssl x509 -noout -issuer -in YOUR-SERVER-CERT.crt should show you the cert’s issuer.
And openssl x509 -noout -subject -in CA-INTERMEDIATE.crt must match this.
Your CA should have some documentation on which intermediate cert you need, where to obtain it and probably even some example on how to install it in the usual systems (apache, nginx, …). At least on Debian, the default-ssl.conf vhost shipped with the apache2 package has extensive comments on this as well.