Oxidize integration with HTTPS Librenms

Janos_Szonyi · 15 November 2023 11:18

Hi All,

Started to integrate Oxidized with Librenms, but I am stuck in half-way. This is what I have done so far:

1 - Installed oxidized:

2 - Created user for oxidize, run oxidized to create default config.

3 - Added new source to the config

4- Configured external/oxidized in Librenms global config

./validate.php

===========================================
Component | Version
--------- | -------
LibreNMS  | 23.10.0-70-g3768e5944 (2023-11-14T23:20:23+01:00)
DB Schema | 2023_11_04_125846_packages_increase_name_column_length (273)
PHP       | 8.2.12
Python    | 3.9.2
Database  | MariaDB 10.5.21-MariaDB-0+deb11u1
RRDTool   | 1.7.2
SNMP      | 5.9
===========================================

[OK]    Composer Version: 2.6.5
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]    Database and column collations are correct
[OK]    Database schema correct
[OK]    MySQl and PHP time match
[OK]    Active pollers found
[OK]    Dispatcher Service not detected
[OK]    Locks are functional
[OK]    Python poller wrapper is polling
[OK]    Redis is unavailable
[OK]    rrd_dir is writable
[OK]    rrdtool version ok

CONFIG FILES:

nginx config:

server {
 listen 443 ssl http2;

 server_name netmon.example.com;
 root        /opt/librenms/html;
 index       index.php;

 charset utf-8;
 gzip on;
 gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;

 ssl_certificate /etc/nginx/ssl/netmon.example.com.crt;
 ssl_certificate_key /etc/nginx/ssl/netmon.example.com.key;
 
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;

 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;

 add_header Strict-Transport-Security max-age=15768000;

 ssl_stapling on;
 ssl_stapling_verify on;

 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/run/php-fpm-librenms.sock;
 }
 location ~ /\.ht {
  deny all;
 }

#--------------> smokeping start / 2023-11-14
# Browsing to `http://yourlibrenms/smokeping/` should bring up the smokeping web interface

location = /smokeping/ {
        fastcgi_intercept_errors on;

        fastcgi_param   SCRIPT_FILENAME         /usr/lib/cgi-bin/smokeping.cgi;
        fastcgi_param   QUERY_STRING            $query_string;
        fastcgi_param   REQUEST_METHOD          $request_method;
        fastcgi_param   CONTENT_TYPE            $content_type;
        fastcgi_param   CONTENT_LENGTH          $content_length;
        fastcgi_param   REQUEST_URI             $request_uri;
        fastcgi_param   DOCUMENT_URI            $document_uri;
        fastcgi_param   DOCUMENT_ROOT           $document_root;
        fastcgi_param   SERVER_PROTOCOL         $server_protocol;
        fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
        fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
        fastcgi_param   REMOTE_ADDR             $remote_addr;
        fastcgi_param   REMOTE_PORT             $remote_port;
        fastcgi_param   SERVER_ADDR             $server_addr;
        fastcgi_param   SERVER_PORT             $server_port;
        fastcgi_param   SERVER_NAME             $server_name;
        fastcgi_param   HTTPS                   $https if_not_empty;

        fastcgi_pass unix:/var/run/fcgiwrap.socket;
}

location ^~ /smokeping/ {
        alias /usr/share/smokeping/www/;
        index smokeping.cgi;
        gzip off;
}
#--------------> smokeping end

 location /nginx-status {
  stub_status on;
  access_log   off;
  allow 127.0.0.1;
  deny all;
}

}

# Redirect http requests to https
server {
 listen      80;
 server_name netmon.example.com;
 return 301  https://netmon.example.com$request_uri;

 location /nginx-status {
  stub_status on;
  access_log   off;
  allow 127.0.0.1;
  deny all;
}

}

Oxidized config:

---
username: test
password: test
model: junos
resolve_dns: true
interval: 3600
use_syslog: true
debug: false
threads: 30
timeout: 20
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: netmon.example.com:8888
next_adds_job: false
vars: {}
groups: {}
models: {}
pid: "/home/oxidized/.config/oxidized/pid"
crash:
  directory: "/home/oxidized/.config/oxidized/crashes"
  hostnames: false
stats:
  history_size: 10
input:
  default: ssh
  debug: false
  ssh:
    secure: false
  ftp:
    passive: true
  utf8_encoded: true
output:
  default: git
  git:
      user: Oxidized
      email: [email protected]
      repo: "~/.config/oxidized/oxidized.git"
source:
  default: http
  debug: true
  http:
    url: https://netmon.example.com/api/v0/oxidized
    scheme: https
    secure: false
    map:
      name: hostname
      model: os
      group: group
    headers:
      X-Auth-Token: xxx
model_map:
  juniper: junos
  cisco: ios

Librenms config:

VERIFICATION:

Oxidized starts:

oxidized

Puma starting in single mode...
* Version 3.11.4 (ruby 2.7.4-p191), codename: Love Song
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://netmon.example.com:8888
Use Ctrl-C to stop

Oxidized able to save config:

git ls-files -s

100644 b797a8c2a231b6eaa1522d5f1125ec85b50a677d 0	10.1.69.10

API is working:

curl -k -X GET -H 'X-Auth-Token:xxx' -i https://netmon.example.com/api/v0/oxidized

HTTP/2 200 
server: nginx/1.18.0
content-type: application/json
cache-control: no-cache, private
date: Wed, 15 Nov 2023 10:49:35 GMT
strict-transport-security: max-age=15768000

[
    {
        "hostname": "localhost",
        "os": "linux",
        "ip": "127.0.0.1"
    },
    {
        "hostname": "10.1.69.10",
        "os": "routeros",
        "ip": "10.1.69.10"
    },
    {

ISSUES:

Cannot see any config in Librenms (under Device > Config, nor under Tools > Oxidized) When I hit “Refresh” got this error:
(No error logs in librenms.log)

When I try connect to oxidized Rest webpage (https://netmon.exaple.com:8888) I got this error log from oxidized:

HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>

and firefox:

2.1 When I try with curl:

curl -v https://netmon.example.com:8888

*   Trying 10.1.22.12:8888...
* Connected to netmon.example.com (10.1.22.12) port 8888 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

It looks like for me that oxidize able to connect to Librenms and get the list of devices, however I do not see groups collected…

What do I missing here?

Any advise welcome, thanks a lot!

Janos_Szonyi · 15 November 2023 18:18

Update:

issue 2 has been resolved.
oxidized webpage reachable only in HTTP, i am able to load the page and see the saved configs.

issue with collected groups are also resolved, played with the librenms oxidized config and now i am able to create custom groups.

but issue 1 is still not resolved. i am still having the error in librenms: Could not queue refresh oxidized device.

laf · 15 November 2023 20:43

The URL to your oxidized API is wrong, this should be pointing to your oxidized install so http://netmon.example.com:8888 and you should be good to go.

On another note, what a fantastic help request post, you nailed the detail and did everything right to debug the issue and even came back to report your findings and fixings. Gold star for you

Janos_Szonyi · 15 November 2023 21:52

@laf you are right, i made the mistake!

So in the Oxidizes config:

source:
  default: http
  debug: true
  http:
    url: https://netmon.example.com/api/v0/oxidized
    scheme: https
    secure: true
    map:
      name: hostname
      model: os
      group: group
    headers:
      X-Auth-Token: xxx

Libre:

What a bloody mistake by me… I was re-reading the docs over and over and did not spotted it.
Thanks again!

system · 22 November 2023 21:52

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.