[Xymon] SSL Error after upgrading to Fedora 18

Another Xymon User xymon at epperson.homelinux.net
Fri Jan 25 22:09:20 CET 2013


 

With "openssl verify <certfile>"? Then I'm stumped. If I do that on
F17 without my self-signing CA cert appended to the file pointed to by
"certificate=", I get an error 20. Append the cert, I get an ok. That
should emulate what xymon is doing, I think. 

You _did_ have
openssl-devel installed when you built xymon, right? 

On 2013-01-25
14:24, Jason Chambers wrote: 

> Yes, I've downloaded the webapp2013
server cert in pem format and used openssl to verify that it's ok. 
> 
>
Jason Chambers
> Network Administrator | Geosoft
> geosoft.com [6] |
blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1
416.369.0111 #344 | M +1 416.508.1410
> 
> Trending topic on Earth
Explorer: VOXI Earth Modelling [11] 
> 
> FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
> SENT:
January-25-13 1:10 PM
> TO: xymon at xymon.com
> SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18 
> 
> So things are good with an
explicit path to the CA bundle. 
> 
> Are the "[ ca ]" and " [
CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the
geosoft.crt file included in the file pointed to by "certificate =" in
CA_default? (On my F17 systems that is cacert.pem, which is a slink to
/etc/pki/tls/certs/ca-bundle.crt) 
> 
> On 2013-01-25 12:16, Jason
Chambers wrote: 
> 
>> Not a problem with that. 
>> 
>> * Connected to
webapp2013.geosoft.com (192.168.0.9) port 443 (#0) 
>> 
>> *
Initializing NSS with certpath: sql:/etc/pki/nssdb 
>> 
>> * CAfile:
./geosoft.crt 
>> 
>> CApath: none 
>> 
>> * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA 
>> 
>> * Server certificate: 
>> 
>> *
subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA 
>> 
>> * start date: Nov 12 17:31:09
2012 GMT 
>> 
>> * expire date: Nov 12 17:31:09 2014 GMT 
>> 
>> *
common name: webapp2013.geosoft.com 
>> 
>> * issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com 
>> 
>> JASON CHAMBERS
>> Network Administrator |
Geosoft
>> geosoft.com [6] | blog [7] | twitter [8] | linkedIn [9] |
facebook [10] | T +1 416.369.0111 #344 | M +1 416.508.1410
>> 
>>
Trending topic on Earth Explorer: VOXI Earth Modelling [11] 
>> 
>>
FROM: Ralph Mitchell [mailto:ralphmitchell at gmail.com] 
>> SENT:
January-25-13 11:11 AM
>> TO: Jason Chambers
>> CC: Henrik Størner;
xymon at xymon.com
>> SUBJECT: Re: [Xymon] SSL Error after upgrading to
Fedora 18 
>> 
>> Try handing curl the CA cert for your internal CA: 
>>

>> curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com
[12] 
>> 
>> Ralph Mitchell 
>> 
>> On Fri, Jan 25, 2013 at 10:27 AM,
Jason Chambers <Jason.Chambers at geosoft.com> wrote: 
>> 
>>> I think
there might be a bug in OpenSSL in this build of Fedora 18 (which I have
updated.) I ran the command you gave me and I'm getting this:
>>> 
>>>
CONNECTED(00000003)
>>> write:errno=104
>>> ---
>>> no peer certificate
available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>>
SSL handshake has read 0 bytes and written 172 bytes
>>> ---
>>> New,
(NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>>
Compression: NONE
>>> Expansion: NONE
>>> ---
>>> 
>>> Which is
suggesting that there isn't an SSL certificate there. Yet when I curl
the location:
>>> 
>>> curl: (60) Peer's Certificate issuer is not
recognized.
>>> More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
>>> 
>>> curl performs SSL
certificate verification by default, using a "bundle"
>>> of Certificate
Authority (CA) public keys (CA certs). If the default
>>> bundle file
isn't adequate, you can specify an alternate file
>>> using the --cacert
option.
>>> If this HTTPS server uses a certificate signed by a CA
represented in
>>> the bundle, the certificate verification probably
failed due to a
>>> problem with the certificate (it might be expired,
or the name might
>>> not match the domain name in the URL).
>>> If
you'd like to turn off curl's verification of the certificate, use
>>>
the -k (or --insecure) option.
>>> 
>>> Would this be everyone elses
conclusion as well? 
>>> 
>>> Jason Chambers
>>> Network Administrator |
Geosoft
>>> geosoft.com [2] | blog | twitter | linkedIn | facebook | T
+1 416.369.0111 #344 [3] | M +1 416.508.1410 [4]
>>> 
>>> Trending topic
on Earth Explorer: VOXI Earth Modelling 
>>> 
>>> -----Original
Message-----
>>> From: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
>>> Sent:
January-25-13 1:38 AM
>>> To: xymon at xymon.com
>>> Subject: Re: [Xymon]
SSL Error after upgrading to Fedora 18
>>> 
>>> On 24-01-2013 21:43,
Jason Chambers wrote:
>>> > I just upgraded to Fedora 18, and now
servers that have SSL signed by
>>> > our internal CA is failing. The
http test simply shows "SSL error"
>>> > meanwhile our public (GoDaddy)
certs aren't causing issues. Is there a
>>> > log file I can peer into
to find out why I'm getting these error
>>> > messages all of a
sudden?
>>> 
>>> No logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
>>> This performs a connect and SSL handshake, which is
basically the same as what Xymon does.
>>> 
>>> I suppose the standard
openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries.
Perhaps some defaults changed in relation to how openssl performs
automatic certificate validation ? Would surprise me, though.
>>> 
>>>
Regards,
>>> Henrik
>>> 
>>>
_______________________________________________
>>> Xymon mailing
list
>>> Xymon at xymon.com
>>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>>>
_______________________________________________
>>> Xymon mailing
list
>>> Xymon at xymon.com
>>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>> 
>>
_______________________________________________
>> 
>> Xymon mailing
list
>> 
>> Xymon at xymon.com
>> 
>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
> 
>
_______________________________________________
> Xymon mailing list
>
Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon [5]




Links:
------
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
http://lists.xymon.com/mailman/listinfo/xymon
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130125/3972a79d/attachment.html>


More information about the Xymon mailing list