Secure Opsview Monitor with SSL Certificate

LetsEncrypt

If your Opsview Monitor web interface is public facing, securing your site with LetsEncrypt is likely the easiest solution.

Apache Configuration

Display your current Apache configuration with httpd:

[[email protected] ~]# httpd -S
VirtualHost configuration:
*:80                   opsview.pikedom.com (/etc/httpd/conf.d/opsview.conf:4)
*:443                  opsview.pikedom.com (/etc/httpd/conf.d/ssl.conf:56)
...

Edit your Apache configuration:

[[email protected] ~]# vim /etc/httpd/conf.d/opsview.conf

And add a FQDN:

<VirtualHost *:80>
  ServerName opsview.pikedom.com
  Include /opt/opsview/webapp/etc/apache_proxy.conf
</VirtualHost>

Check for syntax errors and restart Apache:

[[email protected] ~]# httpd -t
Syntax OK
[[email protected] ~]# systemctl restart httpd

Install LetsEncrypt

Before we can install LetsEncrypt, we need to enable the epel repository:

[[email protected] ~]# yum install epel-release

Install LetsEncrypt with:

[[email protected] ~]# yum install python2-certbot-apache

Run the certbot:

[[email protected] ~]# certbot --apache

This will generate the new certificate and edit your Apache configuration accordingly.

Amend Apache Configuration

Here I tidy-up the Apache configuration a bit. You’ll probably have something that looks something like this:

[[email protected] ~]# httpd -S
VirtualHost configuration:
*:80                   opsview.pikedom.com (/etc/httpd/conf.d/opsview.conf:4)
*:443                  is a NameVirtualHost
         default server opsview.pikedom.com (/etc/httpd/conf.d/opsview-le-ssl.conf:2)
         port 443 namevhost opsview.pikedom.com (/etc/httpd/conf.d/opsview-le-ssl.conf:2)
         port 443 namevhost opsview.pikedom.com (/etc/httpd/conf.d/ssl.conf:56)
...

Create a new file for your Apache configuration:

[[email protected] ~]# touch /etc/httpd/conf.d/opsview.pikedom.com.conf

Combine the secure and non-secure Apache configuration files into one.

[[email protected] ~]# cat /etc/httpd/conf.d/opsview.conf /etc/httpd/conf.d/opsview-le-ssl.conf >> /etc/httpd/conf.d/ovmon.opsview.com.conf

Amend further if necessary. My configure looks like so:

[[email protected] ~]# cat /etc/httpd/conf.d/opsview.pikedom.com.conf
<VirtualHost *:80>
  ServerName opsview.pikedom.com
  Include /opt/opsview/webapp/etc/apache_proxy.conf
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =opsview.pikedom.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName opsview.pikedom.com
  Include /opt/opsview/webapp/etc/apache_proxy.conf
  SSLCertificateFile /etc/letsencrypt/live/opsview.pikedom.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/opsview.pikedom.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateChainFile /etc/letsencrypt/live/opsview.pikedom.com/chain.pem
</VirtualHost>
</IfModule>

Remove the old configuration files:

[[email protected] ~]# mkdir -v ~/apache-backup
mkdir: created directory ‘/root/apache-backup’
[[email protected] ~]# mv -v /etc/httpd/conf.d/{opsview.conf,opsview-le-ssl.conf} ~/apache-backup/
‘/etc/httpd/conf.d/opsview.conf’ -> ‘/root/apache-backup/opsview.conf’
‘/etc/httpd/conf.d/opsview-le-ssl.conf’ -> ‘/root/apache-backup/opsview-le-ssl.conf’

My final configuration looks like this:

[[email protected] ~]# httpd -S
VirtualHost configuration:
*:80                   opsview.pikedom.com (/etc/httpd/conf.d/opsview.pikedom.com.conf:5)
*:443                  is a NameVirtualHost
         default server opsview.pikedom.com (/etc/httpd/conf.d/opsview.pikedom.com.conf:14)
         port 443 namevhost opsview.pikedom.com (/etc/httpd/conf.d/opsview.pikedom.com.conf:14)
         port 443 namevhost opsview.pikedom.com (/etc/httpd/conf.d/ssl.conf:56)
...

Don’t forget to check for syntax errors and restart Apache:

[[email protected] ~]# httpd -t
Syntax OK
[[email protected] ~]# systemctl restart httpd

If you need to restart Opsview Monitor, run:

/opt/opsview/watchdog/bin/opsview-monit restart all

And watch it come back up with:

watch -n1 /opt/opsview/watchdog/bin/opsview-monit summary -B

Press ctrl + c to exit watch.

Manually Install SSL Certificate

If you have already obtained an SSL certificate, you will need to manually install the certificate. See below for more information on this.

https://knowledge.opsview.com/docs/customization#section-apache-ssl-config

Be the first to comment

Leave a Reply