[Xymon] False SSL cert alerts

Zoltan Forray zforray at vcu.edu
Wed Jun 28 13:52:42 CEST 2017 

Thanks for the help and the command.  However, since I know very little
about certs, here is the results:

[xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443 -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


On Tue, Jun 27, 2017 at 7:56 PM, Phil Crooker <Phil.Crooker at orix.com.au>
wrote:

> Browsers are a pretty opaque tool for testing certificates because of
> caching and locally stored certificates. Try openssl:
>
>
>      openssl s_client -connect hostname:443 -showcerts
>
>
> You should see the whole chain of certificates going back to a root cert.
> Are you missing an intermediate certificate? You may need to add it to the
> ssl config in the webserver - in apache you can just concatenate your host
> cert and the intermediate.
>
>
> s_client shows the status of the connection at the bottom:
>
>
>     Verify return code: 0 (ok)
>
>
> Not 0 is an error of course.
>
>
> As s_client opens a connection, you need to CTRL-C to break out (or issue
> an http command if you wish)
>
>
> Hope that helps.
>
>
> ------------------------------
>
> But now it simply refuses to get a valid https connection from the Xymon
> server eventhough you can web-browse to it with no issues and the browser
> says there is a valid https/cert/connection?  Is there any place in Xymon I
> can see why it is failing?
>
> On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <john.thurston at alaska.gov>
> wrote:
>
>> On 6/27/2017 11:17 AM, Zoltan Forray wrote:
>>
>>> We are constantly having issues with sslcert alerts going non-green
>>> eventhough it says the cert is fine.  Related to this is there being an
>>> issue getting to the https page from the Xymon server yet I can access
>>> it just fine from my browser.
>>>
>>
>> Any failure to establish an SSL connection will result in an error under
>> sslcert. Could it be a failure to negotiate a secure connection due to an
>> unreliable network connection?
>>
>> I suggest looking in the error log on your web server. You may find
>> severed or incomplete connection attempts.
>>
>> --
>>    Do things because you should, not just because you can.
>>
>> John Thurston    907-465-8591
>> John.Thurston at alaska.gov
>> Department of Administration
>> State of Alaska
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>>
>
>
>
> --
> *Zoltan Forray*
> Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
> Xymon Monitor Administrator
> VMware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> www.ucc.vcu.edu
> zforray at vcu.edu - 804-828-4807 <(804)%20828-4807>
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
> --
>
> Please consider the environment before printing this e-mail
>
> This message from ORIX Australia may contain confidential and/or
> privileged information. If you are not the intended recipient, any use,
> disclosure or copying of this message (or of any attachments to it) is not
> authorised. If you have received this message in error, please notify the
> sender immediately and delete the message and any attachments from your
> system. Please inform the sender if you do not wish to receive further
> communications by email.
>
> ORIX has a Privacy Policy which outlines what kinds of personal
> information we collect and hold, how we may collect and handle it, and your
> rights regarding personal information. Please let us know if you would like
> a copy. The Privacy Policy and a Collection Statement are also available on
> our website <http://www.orix.com.au>.
>
> We do not accept liability for any loss or damage caused by any computer
> viruses or defects that may be transmitted with this message. We recommend
> you carry out your own checks for viruses or defects.
>



-- 
*Zoltan Forray*
Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
Xymon Monitor Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
www.ucc.vcu.edu
zforray at vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170628/ca2548d1/attachment.html>

More information about the Xymon mailing list