Certificate checks on Nagios

Certificate Checks on Nagios

There two kind of certificates

1) Commercial – Expiry alert 30 days before

2) Letsencrypt - Expiry alert 10 days before

To check and configure certificate alert in nagios

Login to nagios.apoyar

• cd / usr/local/etc/nagios/objects/

• vi wwwservices.cfg

here will see two paragraph’s, first one is for commercial certificates and other one is for letsecrypt certificates

add the server name under either commercial or letsencrypt in hostname

and save the file (:wq!)

Run below command for syntax error check

• /usr/local/bin/nagios -v /usr/local/etc/nagios/nagios.cfg

And at last restart Nagios process fom nagios.apoyar.net

Upgrading Nginx

Login to server, on which need to upgrade nginx

Go to

• cd /root

Download latest nginx file with below command

• wget http://nginx.org/download/nginx-1.20.1.tar.gz

unzip this file with below command

• tar xzvf nginx-1.20.1.tar.gz

then, go to below path and download openssl file

• cd /usr/local/src/

• wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

unzip this file with below command

• tar xzvf openssl-1.1.1k.tar.gz

After this, go to

• cd /root/nginx-1.20.1

• nginx –V

• copy all options to compile nginx

• ./config paste that options here and hit enter

Then at last below command, this will run the actual compilation

• Make

To check certificates on phobos.apoyar

Login to phobos.apoyar

• cd certs/generated/

Here we can see all certificates generated before

- firewall suffix certificates are IPsec ones

- other than that for us or our customers

If you look into Apoyar certificates, go to Apoyar folder

• cd Apoyar

• ls

here will find .crt file Apoyar key .. to check if that both identical and from issuer or not.. run below command

• openssl x509 -noout -modulus -in apoyar2021.crt | openssl md5 && openssl rsa -noout -modulus -in www.apoyar.eu.key | openssl md5

And if we have to concatenate two certificate files into single certificate, then use below command for that

cat test.crt | awk -v cmd="openssl x509 -subject -issuer -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }'

Nginx Compilation on New Server

Build NGINX from source

1. NGINX is a program written in C, so we need to install the C compiler (GCC).

sudo apt install build-essential –y

2. Download the latest version of NGINX source code and extract it:

wget https://nginx.org/download/nginx-1.13.1.tar.gz && tar zxvf nginx-1.13.1.tar.gzGo to the NGINX source directory: cd ~/nginx-1.13.1

3. On the current running Nginx, determine the current configure settings:

nginx -V

And the current location to the nginx executable:

which nginx

Then copy and paste the results to a text file

4. Configure, compile, back up and remove the old and install new NGINX:

./configure --with <whatever the above command gave you> --with <additional parameters you want to add> The additional parameters could be --with-http_secure_link_module or any other additional modules. cd /

tar czvf nginx.tar.gz /etc/nginx/

dpkg -l | grep nginx

apt-get purge <all packages the above command has found>

make

sudo make install

5. If the ./configure gives you any errors, take the following steps:

apt-get install uuid-dev

If ./configure gives you an error about psol not found

apt-get install libgd-dev in case of this error:

./configure: error: the HTTP image filter module requires the GD library.

If there is an issue with the package installation after upgrading to Ubuntu 18, just uninstall the dependencies, and reinstall all packages this uninstall has removed

apt-get install libgeoip-dev in case of:

./configure: error: the GeoIP module requires the GeoIP library.

install libssl-dev in case of:

./configure: error: SSL modules require the OpenSSL library.

apt-get install libpcre++-dev in case of:

./configure: error: the HTTP rewrite module requires the PCRE library.

If the above doesn't work (spotted on Ubuntu 18):

add-apt-repository ppa:ondrej/php

apt-get install libpcre3 libpcre3-dev

apt-get install libxslt1-dev in case of:

./configure: error: the HTTP XSLT module requires the libxml2/libxslt

apt-get install zlib1g-dev

./configure: error: the HTTP gzip module requires the zlib library

apt-get install libpam0g-dev in case of:

make gives you an error:

fatal error: security/pam_appl.h: No such file or directory

6. If make gives you any errors:

apt-get install libpam0g-dev in case of:

recipe for target 'objs/addon/ngx_http_auth_pam_module/ngx_http_auth_pam_module.o' failed

apt-get install libperl-dev in case of:

cannot find –lperl

7. Remove all downloaded files from the home directory, in this case /home/username:

cd ~

rm -r nginx-1.13.1/ openssl-1.1.0f/ pcre-8.40/ zlib-1.2.11/

8. Check NGINX version and compile time options

If the nginx command doesn't work, create a symlink:

ln -s /usr/share/nginx/sbin/nginx /usr/sbin/

sudo nginx -v && sudo nginx -V

1. nginx version: nginx/1.13.0 (Ubuntu)

1. built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)

1. built with OpenSSL 1.1.0f 25 May 2017

1. TLS SNI support enabled

1. configure arguments: --prefix=/etc/nginx . . .

1. . . .

1. . . .

9. Check syntax and potential errors:

sudo nginx -t

1. Will throw this error nginx: [emerg] mkdir() "/var/lib/nginx/body" failed (2: No such file or directory)

1. Just create directory

mkdir -p /var/lib/nginx && sudo nginx –t

10. Create systemd unit file for NGINX:

sudo vim /etc/systemd/system/nginx.service

11. Copy/paste the following content:

NOTE: The location of the PID file and the NGINX binary may be different depending on how NGINX was compiled.

[Unit] Description=A high performance web server and a reverse proxy server After=network.target

[Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid TimeoutStopSec=5 KillMode=mixed

[Install] WantedBy=multi-user.target

12. Start and enable NGINX service:

sudo systemctl start nginx.service && sudo systemctl enable nginx.service

13. Check if NGINX will startup after a reboot:

sudo systemctl is-enabled nginx.service

1. enabled

14. Check if NGINX is running:

sudo systemctl status nginx.service

ps aux | grep nginx

curl -I 127.0.0.1

15. Reboot your Ubuntu VPS to verify that NGINX starts up automatically:

sudo shutdown -r now

16. Create UFW NGINX application profile:

sudo vim /etc/ufw/applications.d/nginx

17. Copy/paste the following content:

[Nginx HTTP] title=Web Server (Nginx, HTTP) description=Small, but very powerful and efficient web server ports=80/tcp

[Nginx HTTPS] title=Web Server (Nginx, HTTPS) description=Small, but very powerful and efficient web server ports=443/tcp

[Nginx Full] title=Web Server (Nginx, HTTP + HTTPS) description=Small, but very powerful and efficient web server ports=80,443/tcp

18. Now, verify that UFW app profiles are created and recognized:

sudo ufw app list

1. Available applications:

 # Nginx Full

 # Nginx HTTP

 # Nginx HTTPS

 # OpenSSH