Ep. 47: Securing the Checkmk web interface with HTTPS

[0:00:00] Hello my name is Bastian Kuhn and today I'm gonna show you how to secure your Checkmk web interface (with HTTPS).
[0:00:18] For that, we're gonna need a certificate. I'm going to show you how to create it, how to create a private key, how to create a signing request for this certificate, and later on how to implement it into the Apache configuration. At first, we're gonna check if you already have a secure connection. You can see that in your browser with this little icon.
[0:00:40] And because of the red border here, you can see the page currently is not secure. So, let's change that. The first thing now I'm gonna generate the private key and the certificate signing request. We should do that always on the server so that the private key stays safe there. The first thing now I'm gonna do is going to generate the private key.
[0:01:09] I'm going to use the "openssl genrsa -out:. I entered the key name and the number of bits. That's the first thing, And a second I'm going to need signing request. That's the file I'm gonna send out later to the department or the website who creates the key. Again, it's with the openSSL.
[0:01:44] This time, "req -new". I enter my private key and the name of the request file. Now this asks me some questions. The answers to these questions are normally supplied by your SSL department or the department who can generate the keys for you. This case I'm gonna use my data.
[0:02:22] The field of the common name here is the most important one because here you can enter which is your certificate name. Make sure that you have the full domain name, like stated here. Also, I want to give you the advice that if you request the certificate for exactly this name, www.monitoring.lan, would not work. So, you will basically need the exact name. So, that's done, basically is. And we now send out this request file to the department or website. After then you receive the certificate file, you can go on and implement it into Apache.
[0:03:20] In my example, I have the certificate. I got even the full chain for the certificate. And that's just the private key I generated before. The first step then is to copy it to the correct directory. First, the private.pem needs to go to /etc/ssl/private/. The certificate.pem goes to /etc/ssl/certs/.
[0:03:59] Also, I'm going to put the chain file into the same directory. That's the first step and the second part now is to change the path in Apache. For that, we go to /etc/apache2/. If you're using Red Hat, the folder would be /etc/httpd/. And there we need to gonna look for the read-allowed configuration file for the SSL. The part of this depends on your Linux distribution. In Ubuntu, like here, you can find it in sites-available.
[0:04:47] There you're going to find the default-ssl.conf. If you don't have this directory or this file, we need to gonna look for this part here where the host and the port 443, which is the port for the HTTPS. There you're gonna search for the part of the SSLCertificateFile, SSLCertificateKeyFile, and here, in this case, the SSLCertificateChainFile.
[0:05:26] What I'm gonna do now is just replace it with mine. We had a certificate.pem. Here we had the private.pem. And here, just need to remove the # here. We have the chain.pem.
[0:06:06] The next step is just to enable the site. For that, we have the a2ensite command,  where we enable default-ssl. And the second Step may be the SSL module is missing. For that, we just enabled a2emod ssl.
[0:06:28] And finally, we restart the Apache. After this reload, you should be able to query our page with https. And it looks fine now. The lock here is intact and has a secure connection. If you run in any problems, there is a little command you can use to get help. It's the apache2ctl configtest.
[0:07:09] So, for example, if Apache isn't starting, we just run this configtest. And this configtest is going to give you information, for example, if you entered the wrong directory for the certificates or something else is wrong, for example, the SSL certificate missing. I hope this gave you a little insight how to secure your Checkmk web interface. For even more information, we link to an article from our blog. 
[0:07:35] Thank you for watching. Don't forget to subscribe. See you next time.

Want to know more about Checkmk? Join us for our Introduction to Checkmk Webinar

Register now

More Checkmk Videos