Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Technically TLS encryption works with only the server certificate, but to verify the trust, you need the full chain.
Modern browsers assemble the certificate chain themselves, which covers up the issue of a missing chain, but many CLI tools and programming languages expect the full chain from the web server.

...

Simply put, you only need a few things to work properly:

  • Your hosts client (monitored system) will need to trust the root certificate of your CA (The internet is full of guides on how to achieve that for several operating systems).
  • Your web server has to serve the certificate chain (without  the root certificate) in addition to the server certificate.The certificate chain consists of all intermediate certificates without  the root certificate

Preparations

Before moving on to the actual configuration, you need to acquire and prepare the necessary files:

  • Private Key file
  • Server Certificate fileKey file
  • CA Root Intermediate Certificate file(s)
  • CA Intermediate Root Certificate file (snot necessary for this guide)

For the first two, if you do not have, or know how to get them, ask your PKI administrator or the person responsible for certificates in your organization. They should actually be able to provide you with all the files necessary.
If you have the former two files already and don't want to bother your certificate person, you can extract the CA files from your web browser.

  1.  Navigate to your Checkmk web interface
      e.g., in Firefox click
      1. Firefox

        1. Click on the little lock icon

          Info
          iconfalse

          Image Modified


        2. Then click on Connection secure and More information.

          Info
          iconfalse

          Image Modified


        3. Now you see the Page Info, where you click on View Certificate.
        4. This brings you to a page, where you can inspect and download all certificates involved.

          Info
          iconfalse

          Image Modified


    1. Chrome(ium)

      1. Click on the little lock icon

        Info
        iconfalse

        Image Added


      2. Then click on Connection is secure and Certificate is valid.

        Info
        iconfalse

        Image Added


      3. This brings you to a page, where you can inspect and download all certificates involved.

        Info
        iconfalse

        Image Added


    If you are running the Checkmk Appliance (virtual or physical) follow the below steps to configure the certificate chain. We have prepared the steps for our Checkmk Appliance as well as for the Apache web server on Linux. If you are running a different web server on front of your Checkmk instance, the steps might differ, but you should get the idea where to look.

    Now, depending on your Checkmk infrastructure, choose the appropriate manual:

    ...

    Panel
    bgColor#fff
    1. Log into the webconf
    2. Navigate to Device Settings > Web Access
    3. Choose Upload Certificate
    4. Now choose the appropriate files and click Upload
      1. For the certificate chain, you generally only need the intermediate certificate(s), not without the root certificate

    Linux Server

    Panel
    bgColor#fff


    Info

    The following steps depend on your specific Linux distribution.

    1. Log into the server as root
    2. Navigate to "/etc/[apache2|httpd]/"
    3. Locate your website configuration file. In a default installation this would be ":
      1. Debian derivates: /etc/
      [
      1. apache2
      |httpd]
      1. /sites-available/default-ssl.conf
      ".
      1. RedHat derivates: /etc/httpd/conf.d/my-ssl.conf
    4. In the configuration file you will find the following directives:


      Code Block
      languagebash
      themeRDark
      SSLCertificateFile      /path/to/certificate.pem
      SSLCertificateKeyFile   /path/to/certificate.key
      SSLCertificateChainFile /path/to/chain.pem


    5. Save the file and reload Apache2: "systemctl reload [apache2|httpd]"

    ...