SSL issues when running over Librenms using https

[brokerdavelhr]

I have set up LIbrenms to use https only. Now that I have my cert etc done and that up and running, I then tried to install oxidized. All was going well until this step: root@ubuntu:/opt/librenms# oxidized I, [2016-05-03T01:07:20.004152 #122586] INFO -- : Oxidized starting, running as pid 122586 F, [2016-05-03T01:07:20.034261 #122586] FATAL -- : Oxidized crashed, crashfile written in /root/.config/oxidized/crash SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I understand both were written with http support mainly, but I needed https. Is there anyway to point oxidized to where the crt and key are like I did in apache? SSLEngine on SSLCertificateFile "/etc/ssl/certs/server.crt" SSLCertificateKeyFile "/etc/ssl/private/server.key" ?

Sorry if this is a stupid question...still getting used to the finer points in Linux... I am running Ubuntu 10.04 lte with ruby=>2 etc already installed and running.

[laf]

This is because the ssl cert is self generated I expect (or not 100% validated anyway).

I did write a patch to cover this but didn't submit it and I seem to have lost it :(

I'll try and add support to turn off validating ssl certs and submit a pr.

[ytti]

https://github.com/ytti/oxidized/blob/master/lib/oxidized/source/http.rb#L22

Perhaps, change to something like

if uri.scheme == 'https'
  http.use_ssl = true 
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?
end

maybe in 'def setup' also initialise config with some values, like most most input/source/output does when called without config.

[brokerdavelhr]

Laf - Appreciate it! Maybe is it a key conflict? When I created my ssl keys etc, it was for http - yet I remember when I went to set up git, I used this command: ssh-keygen -t rsa -b 4096 -C "email add" that it tries putting the key elsewhere. Still not quite sure....

ytti - I will try that asap - will take any lead I can get!

All - sorry for the newb questions - considering I have only been working on linux for a month now, I would like to think I am not doing so bad...I am however realizing what I have been missing out on!

[brokerdavelhr]

Okay, so I started fresh, and got the same result. However this time I used a CA cert setup to my ssl.

"This is because the ssl cert is self generated I expect (or not 100% validated anyway)." forgive a newb question, but how do you 100% validate a ssl cacert?

ytti: How do I get to that file? I seem to be one inept ba(&^&^& in terms of finding things!

[brokerdavelhr]

uuuggg....thinking this has a lot to do with it: root@ubuntu:/opt/librenms# dpkg -l ruby Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= un ruby (no description available)

yeah......will update when I fix this mess.....very sorry for the nonsense

[brokerdavelhr]

Yeah - just checked - it is installed correctly....still looking for that file ytti said to modify. My unfamiliarity with the platform is starting to show....

[laf]

For centos it's in (excuse the old version):

/usr/local/share/gems/gems/oxidized-0.7.2/lib/oxidized/source/http.rb

You can just run find / -name http.rb

[brokerdavelhr]

Thanks laf - you mean something like this: def load nodes = [] uri = URI.parse(@cfg.url) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?

It sounds like it is looking for the key but cannot seem to find it when ran

[ytti]

And you did add under http `ìnsecure: true`` in your configs?

[brokerdavelhr]

Same result - I used the config for feeding Oxidized as left by librenms: source: default: http debug: false http: insecure: true url: https://127.0.0.1/api/v0/oxidized scheme: https delimiter: !ruby/regexp /:/ map: name: hostname model: os group: group headers: X-Auth-Token: '01582bf94c03104ecb7953dsadsadwed'

laf - the directory for source is in the following directory in Ubuntu 14.04 LTE running ruby 2.1: /var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/source/http.rb

[brokerdavelhr]

Still (please forgive newbs perspective), why set to insecure: true when it is running ssl?

[brokerdavelhr]

I see this in source: def load nodes = [] uri = URI.parse(@cfg.url) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https'

So it is using https, it will need valid ssl - where does it pull that info from?

[ytti]

If you do something like the patch is suggested, you'd be able to configure 'insecure: true' in configs, to avoid it verifying certs.

Otherwise, you can try to install the needed certs in system directories with other certs.

[brokerdavelhr]

  def load  <--------------- located in /var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/source/http.rb
    nodes = []
    uri = URI.parse(@cfg.url)
    if uri.scheme == 'https'
      http.use_ssl = true 
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?
end

source: <--------------- located in ~/.config/oxidized/config
  default: http
  debug: false
  https:
    insecure: true
    url: https://127.0.0.1/api/v0/oxidized
    scheme: https
    delimiter: !ruby/regexp /:/
    map:
      name: hostname
      model: os
      group: group
    headers:
      X-Auth-Token: '01582bf94c03104ecb7953dsadsadwed'

when I run oxidized, I get this: F, [2016-05-06T18:52:46.624060 #4181] FATAL -- : Oxidized crashed, crashfile written in /root/.config/oxidized/crash no source http url config, edit ~/.config/oxidized/config

My created/CA certs are in etc/ssl/cert & private folder as indicated previous post.

Do I need to add the cert paths in the /etc/mysql/my.cnf file?

[brokerdavelhr]

and when I change this: https: insecure: true to this: http: insecure: true

I get this

F, [2016-05-06T18:58:32.492607 #4866] FATAL -- : Oxidized crashed, crashfile written in /root/.config/oxidized/crash undefined local variable or method `http' for #<Oxidized::HTTP:0x00000001849b20

[brokerdavelhr]

Hope this helps: Everything installed was 'by the book' from the following sources: https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Installed libre on ubuntu based on install/config guides on their github page. http://askubuntu.com/questions/452243/install-ruby-2-0-without-ruby-switch https://github.com/ytti/oxidized

If this is the cause of my current predicament, and there is a better way to install a secured version of Librenms with oxizided and I missed it - please let me know.

PS - I really do appreciate the help...confused as he*& as to what I am doing wrong..I apologize for the inconvenience and thank you for your patience!

[ytti]

The config block is 'http' not 'https'. When it is http and you have insecure: true there, and the patch in http.rb. What does the crash file contain? What does http.rb look like exactly (put it on somewhere, in the paste you're missing 'end' for the 'def' block, your 'end' is for the 'if' block. But might be just that you didn't paste if fully.

'scheme: https' in your config does nothing, you can remove it.

Is there way I can run this in your environment? Like maybe you'll start tmate session and share it with me at saku@ytti.fi?

[brokerdavelhr]

here ya go:

Configs -

  def load
    nodes = []
    uri = URI.parse(@cfg.url)
    if uri.scheme == 'https'
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?
end

and

source:
  default: http
  debug: false
  http:
    insecure: true
    url: https://librenms/api/v0/oxidized
    delimiter: !ruby/regexp /:/
    map:
      name: hostname
      model: os
      group: group
    headers:
      X-Auth-Token: '01582bf94c03104ecb7953dsadsadwed'

I get this: I, [2016-05-07T17:35:52.682742 #65406] INFO -- : Oxidized starting, running as pid 65406 F, [2016-05-07T17:35:52.711757 #65406] FATAL -- : Oxidized crashed, crashfile written in /root/.config/oxidized/crash undefined local variable or method `http' for #Oxidized::HTTP:0x00000002ba5c00

root@ubuntu:/opt/librenms# more /root/.config/oxidized/crash

2016-05-08 00:35:52 UTC undefined local variable or method `http' for #Oxidized::HTTP:0x00000002ba5c00

[NameError]

/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/source/http.rb:22:in `load
'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/nodes.rb:14:in `block in l
oad'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/nodes.rb:110:in `synchroni
ze'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/nodes.rb:110:in `with_lock
'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/nodes.rb:10:in `load'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/nodes.rb:105:in `initializ
e'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/core.rb:14:in `new'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/core.rb:14:in `initialize'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/core.rb:4:in `new'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/core.rb:4:in `new'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/cli.rb:12:in `run'
/var/lib/gems/2.1.0/gems/oxidized-0.14.1/bin/oxidized:9:in `<top (required)>'
/usr/local/bin/oxidized:23:in `load'
/usr/local/bin/oxidized:23:in `<main>'

---

[brokerdavelhr]

Cant tmate :-( this is something i am playing with on a virtual machine on my workstation at work....to say I am on a heavily locked down nw is a gross understatement. I work in the healthcare sector, so security is.....so extreme it is bogging down the nw. So unfortunately, I cannot share :-(

[brokerdavelhr]

now fro the ultimate dumb question: Should I be running ruby on rails and docker with this? When installing, I did not see the need to :-/

[ytti]

You are at least missing 'end' in the 'def load' block. The 'end' you have, is closing the 'if' block, but nothing is closing the 'def load' block.

def load
   if blaa
     blaa
   end
end   # this is is missing

[brokerdavelhr]

if uri.scheme == 'https'
  http.use_ssl = true 
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?
end

there are 2 'ifs' in the above. 
Does that mean 2 ends are sufficient?
  def load
    if uri.scheme == 'https'
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @cfg.insecure?
    end
  end

I have tried that, and get this:

x178075@ubuntu:/opt/librenms$ sudo oxidized I, [2016-05-08T11:52:46.559962 #60410] INFO -- : Oxidized starting, running as pid 60410 /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require': /var/lib/gems/2.1.0/gems/oxidized-0.14.1/lib/oxidized/source/http.rb:58: syntax error, unexpected keyword_end, expecting end-of-input (SyntaxError)

Will take a look at the /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require file and see what I can

[brokerdavelhr]

Starting at line 50 of us/lib/ruby etc etc:

if Gem::Specification.unresolved_deps.empty? then
  begin
    RUBYGEMS_ACTIVATION_MONITOR.exit
    return gem_original_require(path)
  ensure
    RUBYGEMS_ACTIVATION_MONITOR.enter
  end
end

# If +path+ is for a gem that has already been loaded, don't

[ytti]

Try this http://p.ip.fi/h51H

and have in config:

source:
  http:
    insecure: true

If it crashes, post the crashfile.

[brokerdavelhr]

F, [2016-05-08T15:44:15.432481 #92170] FATAL -- : Oxidized crashed, crashfile written in /home/x178075/.config/oxidized/crashgetaddrinfo: Name or service not known If this depends on DNS then there is nothing I can do. source:  default: http  debug: false  http:    insecure: true    url: https://librenms/api/v0/oxidized  <---------------------- See above error.    delimiter: !ruby/regexp /:/    map:      name: hostname      model: os      group: group    headers:      X-Auth-Token: '01582bf94c03104ecb7953dsadsadwed' I tried using the IP address of the server and the loopback (127.0.0.1) - but then I get this:F, [2016-05-08T15:43:27.694296 #92152] FATAL -- : Oxidized crashed, crashfile written in /home/x178075/.config/oxidized/crashno implicit conversion of String into Integer I am 100% certain that if I had a valid dns entry, and was therefore able to use a proper server name, that it would  work. Unfortunately the 'security' team on our NW is a bunch of overly arrogant pr)(&*)&(^ who do not even allow us access to our own machines. Much less anything else.  I have redid my entire http.rb file so it matches what you sent. Here is my config file:username: xxxpassword: xxxmodel: ciscointerval: 3600use_syslog: falsedebug: falsethreads: 30timeout: 20retries: 3prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/rest: 127.0.0.1:8888vars:  enable: xxxxxxgroups: {}input:  default: ssh, telnet  debug: false  ssh:    secure: falseoutput:  default: filesource:  default: http  debug: false  http:    insecure: true    url: https://librenms/api/v0/oxidized  <------------------- Am I supposed to put the hard server IP here?    delimiter: !ruby/regexp /:/    map:      name: hostname      model: os      group: group    headers:      X-Auth-Token: '01582bf94c03104ecb7953dsadsadwed'model_map:  cisco: ios  juniper: junos Thank you again for your time! From: ytti notifications@github.com To: ytti/oxidized oxidized@noreply.github.com Cc: brokerdavelhr brokerdavelhr@yahoo.com; Author author@noreply.github.com Sent: Sunday, May 8, 2016 2:58 PM Subject: Re: [ytti/oxidized] SSL issues when running over Librenms using https (#411)

Try this http://p.ip.fi/h51Hand have in config:source: http: insecure: true If it crashes, post the crashfile.— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub

[ytti]

That was extremely difficult to read, I suggest you post on the webUI and use appropriate MD formatting.

It looks like the salient complaint is 'no implicit conversion of String into Integer', that is, in some code String was used as if it was Integer and it crashed it.

You should put the crashfile online, so I can see where this was done,

[laf]

@brokerdavelhr How did you get on with this? Oxidized has native support for disabling ssl checking now:

source:
  default: http
  http:
    url: https://url/api
    scheme: https
    secure: false

[brokerdavelhr]

Not using https, so I have no answer for that - but this is how I have it working on regular 80 or 8080 as opposed to 443: How I installed/ first ran Oxidized:

First install RUBY NOTE - Rmove first if using ubuntu 16.04!

sudo apt-get remove ruby

cd $HOME

sudo apt-get update

sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev

git clone https://github.com/rbenv/rbenv.git ~/.rbenv echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc echo 'eval "$(rbenv init -)"' >> ~/.bashrc exec $SHELL

git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

rbenv install 2.3.1   --------- Note - this can take awhile rbenv global 2.3.1 ruby -v

gem install oxidized oxidized-script oxidized-web

Ensure are installed right: dshirk@:~/.config$ gem list oxidized

LOCAL GEMS

oxidized (0.20.0) oxidized-script (0.4.0) oxidized-web (0.9.1)

GO TO LIBREnms web gui Global Settings --- External Settings --- Oxidized Integration --- enablen and "'http://127.0.0.1:8888';" for url

then

Global Settings --- API --- API Settings - Create an API access token - this will be the x-auth-token used in your oxidized script

Back to ssh session: sudo nano config.php add:

Oxidized

$config['oxidized']['enabled']         = TRUE; $config['oxidized']['url']             = 'http://127.0.0.1:8888';

Save and exit

cd ~/.config/oxidized/

oxidized

nano config (make it look like the below)

username: password:   model: junos interval: 3600 use_syslog: false debug: false threads: 30 timeout: 20 retries: 2 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ rest: 127.0.0.1:8888 pid: "/home/dshirk/.config/oxidized/pid" input:   default: ssh, telnet   debug: false   ssh:     secure: false output:   default: file   file:     directory: "/home/dshirk/.config/oxidized/configs" source:   default: http   debug: false   http:     url: http://10.2.7.12/api/v0/oxidized     map:       name: hostname       model: os       group: group     headers:       X-Auth-Token:

Save and exit 

Run first start of oxidized: oxidized

watch happily ;-)

On Sunday, July 2, 2017, 1:54:36 PM MDT, Neil Lathwood notifications@github.com wrote:

@brokerdavelhr How did you get on with this? Oxidized has native support for disabling ssl checking now: source: default: http http: url: https://url/api scheme: https secure: false

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[laf]

@brokerdavelhr I'm confused, this entire issue was about https.

Can we close the issue?

[laf]

@brokerdavelhr If you require any further help, please reply and we will re-open this issue.

[brokerdavelhr]

I am very sorry I never responded to this - all is good - sorry for not responding sooner - our department took some heavy hits, so workload has severely increased :-/

[brokerdavelhr]

Hey guys = sorry for being a pain, but trying to get a graylog 2.3 (w/elastisearch/mongodb) working on ubuntu 16.04 lts server.No issues installing first server (master) - everything went just fine.No issues installing second server - even elasticsearch master/slave is working just fine. However secondary graylog node will NOT add to master. Every config is exactly as stated in the docs. On the second servers web interface, it states no master is available, graylog cluster ID of all 0's etc. I even tried putting masters IP in the second servers graylog rest api/web area. Nothing.  It occured to me that Mongo could be be the issue - but only running 2 servers, I cannot make a replica set.  Do either of you know anyone who works with Graylog 2.3/ubuntu who might be able to help out a bit?  I have not been able to find a single thing online :-/ Thanks in advance! On Wednesday, September 27, 2017, 1:10:26 PM MDT, Neil Lathwood notifications@github.com wrote:

Closed #411.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[laf]

Think you got the wrong repo :)

[brokerdavelhr]

So this is not correct?:Ubuntu installation — Graylog 2.3.0 documentation

Ubuntu installation — Graylog 2.3.0 documentation

|

|

|

Will downgrade to 2.1 if I have to On Thursday, October 19, 2017, 1:21:14 AM MDT, Neil Lathwood notifications@github.com wrote:

Think you got the wrong repo :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[laf]

this repository is about oxidized and not graylog.

[brokerdavelhr]

I understand that - and my apologies, was asking if someone knew anyone in the graylog2 side. Sorry about the inconvenience! On Thursday, October 19, 2017, 9:36:52 AM MDT, Neil Lathwood notifications@github.com wrote:

this repository is about oxidized and not graylog.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.