Zenoss don’t support SSL certificates out-of-the-box. If you want to use an SSL connection to your zenoss monitor server the only thing you can do is use an reverse proxy. You can use this howto to install and configure a pound reverse proxy.
Install pound with the EPEL
Install the EPEL (more info about EPEL) repository with these commands:
su -c 'rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm'
yum install pound
Install pound without the EPEL
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Pound-2.6-2.el6.x86_64.rpm rpm -ivh Pound-2.6-2.el6.x86_64.rpm
I had a lot of trouble because I used a real SSL certificate immediately. The cause was I dropped the SSL cert in the wrong linux folder. Best practice is first create a selfsigned SSL, test pound and then replace the selfsigned with a real SSL certificate.
cd /etc/ssl && openssl req -x509 -newkey rsa:1024 -keyout local.server.pem -out local.server.pem -days 365 -nodes
User "pound" Group "pound" Control "/var/lib/pound/pound.cfg"
ListenHTTPS Address 192.168.0.x Port 443 Cert "/etc/ssl/local.server.pem" End
Service BackEnd Address 127.0.0.1 Port 8080 End End
Now start the pound service
service pound start
Change the Zenoss config the handle the HTTPS traffic
Ad these 3 lines:
<cgi-environment> HTTPS ON </cgi-environment>
su - zenoss restart zopectl
Replace the selfsigned SSL with a wildcard SSL (optional)
Create a PFX in windows. Tranfer the PFX to the Zenoss server and tranform the PFX to PEM (Linux certificate format). The command:
openssl pkcs12 -in validcertificate.pfx -out wilcard.domain.nl.pem -nodes
Now change the pound cert:
ListenHTTPS Address 192.168.0.x Port 443 Cert "/etc/ssl/wilcard.domain.nl.pem" End
Restart the service
service pound restart