[Xymon] SSL Error after upgrading to Fedora 18

Another Xymon User xymon at epperson.homelinux.net
Fri Jan 25 19:10:15 CET 2013 

 

So things are good with an explicit path to the CA bundle. 

Are the
"[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf
correct? Is the geosoft.crt file included in the file pointed to by
"certificate =" in CA_default? (On my F17 systems that is cacert.pem,
which is a slink to /etc/pki/tls/certs/ca-bundle.crt) 

On 2013-01-25
12:16, Jason Chambers wrote: 

> Not a problem with that. 
> 
> *
Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) 
> 
> *
Initializing NSS with certpath: sql:/etc/pki/nssdb 
> 
> * CAfile:
./geosoft.crt 
> 
> CApath: none 
> 
> * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA 
> 
> * Server certificate: 
> 
> *
subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA 
> 
> * start date: Nov 12 17:31:09 2012
GMT 
> 
> * expire date: Nov 12 17:31:09 2014 GMT 
> 
> * common name:
webapp2013.geosoft.com 
> 
> * issuer: CN=Geosoft Inc.,DC=geosoft,DC=com

> 
> Jason Chambers
> Network Administrator | Geosoft
> geosoft.com [6]
| blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1
416.369.0111 #344 | M +1 416.508.1410
> 
> Trending topic on Earth
Explorer: VOXI Earth Modelling [11] 
> 
> FROM: Ralph Mitchell
[mailto:ralphmitchell at gmail.com] 
> SENT: January-25-13 11:11 AM
> TO:
Jason Chambers
> CC: Henrik Størner; xymon at xymon.com
> SUBJECT: Re:
[Xymon] SSL Error after upgrading to Fedora 18 
> 
> Try handing curl
the CA cert for your internal CA: 
> 
> curl -v --cacert
path_to_your_CA_cert.pem https://server.domain.com [12] 
> 
> Ralph
Mitchell 
> 
> On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers
<Jason.Chambers at geosoft.com> wrote: 
> 
>> I think there might be a bug
in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the
command you gave me and I'm getting this:
>> 
>> CONNECTED(00000003)
>>
write:errno=104
>> ---
>> no peer certificate available
>> ---
>> No
client certificate CA names sent
>> ---
>> SSL handshake has read 0
bytes and written 172 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>>
Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion:
NONE
>> ---
>> 
>> Which is suggesting that there isn't an SSL
certificate there. Yet when I curl the location:
>> 
>> curl: (60)
Peer's Certificate issuer is not recognized.
>> More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
>> 
>> curl performs SSL
certificate verification by default, using a "bundle"
>> of Certificate
Authority (CA) public keys (CA certs). If the default
>> bundle file
isn't adequate, you can specify an alternate file
>> using the --cacert
option.
>> If this HTTPS server uses a certificate signed by a CA
represented in
>> the bundle, the certificate verification probably
failed due to a
>> problem with the certificate (it might be expired, or
the name might
>> not match the domain name in the URL).
>> If you'd
like to turn off curl's verification of the certificate, use
>> the -k
(or --insecure) option.
>> 
>> Would this be everyone elses conclusion
as well? 
>> 
>> Jason Chambers
>> Network Administrator | Geosoft
>>
geosoft.com [2] | blog | twitter | linkedIn | facebook | T +1
416.369.0111 #344 [3] | M +1 416.508.1410 [4]
>> 
>> Trending topic on
Earth Explorer: VOXI Earth Modelling 
>> 
>> -----Original
Message-----
>> From: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
>> Sent:
January-25-13 1:38 AM
>> To: xymon at xymon.com
>> Subject: Re: [Xymon] SSL
Error after upgrading to Fedora 18
>> 
>> On 24-01-2013 21:43, Jason
Chambers wrote:
>> > I just upgraded to Fedora 18, and now servers that
have SSL signed by
>> > our internal CA is failing. The http test simply
shows "SSL error"
>> > meanwhile our public (GoDaddy) certs aren't
causing issues. Is there a
>> > log file I can peer into to find out why
I'm getting these error
>> > messages all of a sudden?
>> 
>> No
logfile, but try running "openssl s_client -connect IPADDRESS:PORT".
>>
This performs a connect and SSL handshake, which is basically the same
as what Xymon does.
>> 
>> I suppose the standard openssl.cnf is used by
OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed
in relation to how openssl performs automatic certificate validation ?
Would surprise me, though.
>> 
>> Regards,
>> Henrik
>> 
>>
_______________________________________________
>> Xymon mailing list
>>
Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon [5]
>>
_______________________________________________
>> Xymon mailing list
>>
Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon [5]
>

> _______________________________________________
> Xymon mailing
list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
[5]

 

Links:
------
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
http://lists.xymon.com/mailman/listinfo/xymon
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130125/2c038fd6/attachment.html>

More information about the Xymon mailing list