• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
No SSL connection possible
#1
Hello, I have a problem with the SSL connection since 30 May, maybe linked to: https://support.sectigo.com/articles/Kno...ay-30-2020 but all the possible solutions that I have found won't work. 

Specially I don't understand why:
Code:
curl --cacert /etc/pki/tls/certs/mycert.crt https://my_glpi_url/plugins/fusioninventory/

 answers fine with the content of the site but the command:

Code:
fusioninventory-agent --ca-cert-file=/etc/pki/tls/certs/mycert.crt

Gives:


Code:
[info] sending prolog request to server server0
[error] [http client] communication error: 500 Can't connect to my_glpi_url:443
[error] No answer from server at https://my_glpi_url/plugins/fusioninventory/

So the communications between all my Linux agents and my server are completely down (However, Windows agents with the same crt are still working properly)

Has anyone experienced this?

FusionInventory Agent (2.3.21)
  Reply
#2
Hi zumodevidrio

can try with the latest agent and then activate debug option to level 2 so you'll obtain some SSL debugging ?
  Reply
#3
(2020-06-29, 10:10:35)gbougard Wrote: Hi zumodevidrio

can try with the latest agent and then activate debug option to level 2 so you'll obtain some SSL debugging ?

Hi gbougard,

Done, unfortunately the SSL debug doesn't give me too much useful information:

Quote:[debug] FusionInventory Agent (2.5.2)
[debug] Configuration directory: /opt/FusionInventory-Agent-2.5.2/etc
[debug] Data directory: /opt/FusionInventory-Agent-2.5.2/share
[debug] Storage directory: ./var
[debug] Lib directory: /opt/FusionInventory-Agent-2.5.2/lib
[debug] [target server0] Next server contact planned for Tue Jun 30 12:33:32 2020
[debug2] getAvailableTasks() : add of task Collect version 2.6
[debug2] getAvailableTasks() : add of task Deploy version 2.8
[debug2] getAvailableTasks() : add of task ESX version 2.5
[debug2] getAvailableTasks() : add of task Inventory version 1.9
[debug2] getAvailableTasks() : add of task Maintenance version 1.1
[debug2] getAvailableTasks() : add of task NetDiscovery version 4.1
[debug2] getAvailableTasks() : add of task NetInventory version 4.1
[debug2] getAvailableTasks() : add of task WakeOnLan version 2.2
[debug2] getAvailableTasks() : add of task WMI version 0.3
[debug2] isParamArrayAndFilled('tasks') : false
[debug] Available tasks:
[debug] - ESX: 2.5
[debug] - WMI: 0.3
[debug] - Collect: 2.6
[debug] - NetDiscovery: 4.1
[debug] - Inventory: 1.9
[debug] - WakeOnLan: 2.2
[debug] - Maintenance: 1.1
[debug] - NetInventory: 4.1
[debug] - Deploy: 2.8
[debug] target server0: server https://glpi_server/plugins/fusioninventory/
[debug] Planned tasks for server0:
[debug] - ESX: 2.5
[debug] - WMI: 0.3
[debug] - Collect: 2.6
[debug] - NetDiscovery: 4.1
[debug] - Inventory: 1.9
[debug] - WakeOnLan: 2.2
[debug] - NetInventory: 4.1
[debug] - Deploy: 2.8
[debug] target scheduler0: scheduler
[debug] Planned tasks for scheduler0:
[debug] - Maintenance: 1.1
[debug] Running in foreground mode
[info] target server0: server https://glpi_server/plugins/fusioninventory/
[debug] [http client] Using Compress::Zlib for compression
[info] sending prolog request to server0
[debug2] [http client] sending message:
<?xml version="1.0" encoding="UTF-8" ?>
<REQUEST>
  <DEVICEID>XXXXXXXXX-2020-06-30-11-42-16</DEVICEID>
  <QUERY>PROLOG</QUERY>
  <TOKEN>12345678</TOKEN>
</REQUEST>
DEBUG: .../IO/Socket/SSL.pm:1829: new ctx 49104560
DEBUG: .../IO/Socket/SSL.pm:475: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:477: socket connected
DEBUG: .../IO/Socket/SSL.pm:495: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:530: using SNI with hostname glpi_server..
DEBUG: .../IO/Socket/SSL.pm:553: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:566: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:576: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:586: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:606: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:1817: ok=0 cert=49458144
DEBUG: .../IO/Socket/SSL.pm:566: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1437: SSL connect attempt failed with unknown error

DEBUG: .../IO/Socket/SSL.pm:572: fatal SSL error: SSL connect attempt failed with unknown error error:14090086:SSL routinesConfusedsl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1437: IO::Socket::IP configuration failed

DEBUG: .../IO/Socket/SSL.pm:1866: ee ctx 49104560 open=49104560
DEBUG: .../IO/Socket/SSL.pm:1871: ee ctx 49104560 callback
DEBUG: .../IO/Socket/SSL.pm:1874: OK ee ctx 49104560
[error] [http client] communication error: 500 Can't connect to glpi_server:443
[error] No answer om server at https://glpi_server/plugins/fusioninventory/
[info] running task Maintenance
[debug2] Doing Deploy Maintenance
  Reply
#4
It seems the agent fails to verify the server certificate.
Then, does it work when you use the --no-ssl-check option ?

Also can you confirm on what platform (and platform version) the agent is running ? I only see your config path is "/opt/FusionInventory-Agent-2.5.2/etc", so I know this is a unix system.
  Reply
#5
(2020-07-01, 08:39:21)gbougard Wrote: It seems the agent fails to verify the server certificate.
Then, does it work when you use the --no-ssl-check option ?

Also can you confirm on what platform (and platform version) the agent is running ? I only see your config path is "/opt/FusionInventory-Agent-2.5.2/etc", so I know this is a unix system.

Exactly, with --no-ssl-check it works properly.

In this case the platform it's CentOS Linux release 7.6.1810, but I have the problem also with Ubuntu systems. However, the Windows agents are working properly with exactly the same certificate.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)