[Xymon] False SSL cert alerts

Phil Crooker Phil.Crooker at orix.com.au
Wed Jun 28 01:56:16 CEST 2017


Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl:


     openssl s_client -connect hostname:443 -showcerts


You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate.


s_client shows the status of the connection at the bottom:


    Verify return code: 0 (ok)


Not 0 is an error of course.


As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish)


Hope that helps.


________________________________

But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection?  Is there any place in Xymon I can see why it is failing?

On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <john.thurston at alaska.gov<mailto:john.thurston at alaska.gov>> wrote:
On 6/27/2017 11:17 AM, Zoltan Forray wrote:
We are constantly having issues with sslcert alerts going non-green
eventhough it says the cert is fine.  Related to this is there being an
issue getting to the https page from the Xymon server yet I can access
it just fine from my browser.

Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection?

I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts.

--
   Do things because you should, not just because you can.

John Thurston    907-465-8591<tel:907-465-8591>
John.Thurston at alaska.gov<mailto:John.Thurston at alaska.gov>
Department of Administration
State of Alaska
_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon



--
Zoltan Forray
Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
Xymon Monitor Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
www.ucc.vcu.edu<http://www.ucc.vcu.edu>
zforray at vcu.edu<mailto:zforray at vcu.edu> - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170627/d595840d/attachment.html>


More information about the Xymon mailing list