[Xymon] False SSL cert alerts

Wed Jun 28 16:26:10 CEST 2017

No output from web server. Check it's logs for web server errors associated
with the IP address.

On 28 Jun. 2017 22:00, "Zoltan Forray" <zforray at vcu.edu> wrote:

> Thanks for the help and the command.  However, since I know very little
> about certs, here is the results:
>
> [xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443
> -showcerts
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 247 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
>
> On Tue, Jun 27, 2017 at 7:56 PM, Phil Crooker <Phil.Crooker at orix.com.au>
> wrote:
>
>> Browsers are a pretty opaque tool for testing certificates because of
>> caching and locally stored certificates. Try openssl:
>>
>>
>>      openssl s_client -connect hostname:443 -showcerts
>>
>>
>> You should see the whole chain of certificates going back to a root cert.
>> Are you missing an intermediate certificate? You may need to add it to the
>> ssl config in the webserver - in apache you can just concatenate your host
>> cert and the intermediate.
>>
>>
>> s_client shows the status of the connection at the bottom:
>>
>>
>>     Verify return code: 0 (ok)
>>
>>
>> Not 0 is an error of course.
>>
>>
>> As s_client opens a connection, you need to CTRL-C to break out (or issue
>> an http command if you wish)
>>
>>
>> Hope that helps.
>>
>>
>> ------------------------------
>>
>> But now it simply refuses to get a valid https connection from the Xymon
>> server eventhough you can web-browse to it with no issues and the browser
>> says there is a valid https/cert/connection?  Is there any place in Xymon I
>> can see why it is failing?
>>
>> On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <john.thurston at alaska.gov>
>> wrote:
>>
>>> On 6/27/2017 11:17 AM, Zoltan Forray wrote:
>>>
>>>> We are constantly having issues with sslcert alerts going non-green
>>>> eventhough it says the cert is fine.  Related to this is there being an
>>>> issue getting to the https page from the Xymon server yet I can access
>>>> it just fine from my browser.
>>>>
>>>
>>> Any failure to establish an SSL connection will result in an error under
>>> sslcert. Could it be a failure to negotiate a secure connection due to an
>>> unreliable network connection?
>>>
>>> I suggest looking in the error log on your web server. You may find
>>> severed or incomplete connection attempts.
>>>
>>> --
>>>    Do things because you should, not just because you can.
>>>
>>> John Thurston    907-465-8591
>>> John.Thurston at alaska.gov
>>> Department of Administration
>>> State of Alaska
>>> _______________________________________________
>>> Xymon mailing list
>>> Xymon at xymon.com
>>> http://lists.xymon.com/mailman/listinfo/xymon
>>>
>>
>>
>>
>> --
>> *Zoltan Forray*
>> Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
>> Xymon Monitor Administrator
>> VMware Administrator
>> Virginia Commonwealth University
>> UCC/Office of Technology Services
>> www.ucc.vcu.edu
>> zforray at vcu.edu - 804-828-4807 <(804)%20828-4807>
>> Don't be a phishing victim - VCU and other reputable organizations will
>> never use email to request that you reply with your password, social
>> security number or confidential personal information. For more details
>> visit http://infosecurity.vcu.edu/phishing.html
>> --
>>
>> Please consider the environment before printing this e-mail
>>
>> This message from ORIX Australia may contain confidential and/or
>> privileged information. If you are not the intended recipient, any use,
>> disclosure or copying of this message (or of any attachments to it) is not
>> authorised. If you have received this message in error, please notify the
>> sender immediately and delete the message and any attachments from your
>> system. Please inform the sender if you do not wish to receive further
>> communications by email.
>>
>> ORIX has a Privacy Policy which outlines what kinds of personal
>> information we collect and hold, how we may collect and handle it, and your
>> rights regarding personal information. Please let us know if you would like
>> a copy. The Privacy Policy and a Collection Statement are also available on
>> our website <http://www.orix.com.au>.
>>
>> We do not accept liability for any loss or damage caused by any computer
>> viruses or defects that may be transmitted with this message. We recommend
>> you carry out your own checks for viruses or defects.
>>
>
>
>
> --
> *Zoltan Forray*
> Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
> Xymon Monitor Administrator
> VMware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> www.ucc.vcu.edu
> zforray at vcu.edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170629/e2176b9d/attachment.html>