[Xymon] SSL Error after upgrading to Fedora 18
Another Xymon User
xymon at epperson.homelinux.net
Mon Jan 28 19:35:02 CET 2013
See, the baffling thing is that it's only with xymon verification,
not with openssl command line. xymon's somehow using a ca-bundle that
does not have your self-signing cert in it. But since xymon doesn't have
a configuration construct for pointing to a ca-bundle, it's taking a
default. I would expect that to be the same default that "openssl verify
<certfile>" takes. Oh, well. Hope you can figure it out.
On 2013-01-28
8:48, Jason Chambers wrote:
> Yep. Openssl-devel-1:1.0.1c-7.fc18. Plus
all of our GoDaddy certs are validating fine. Just our Windows CA signed
cert on this web server isn't.
>
> Jason Chambers
> Network
Administrator | Geosoft
> geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +1 416.369.0111 #344 | M +1
416.508.1410
>
> Trending topic on Earth Explorer: VOXI Earth Modelling
[11]
>
> FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
> SENT:
January-25-13 4:09 PM
> TO: xymon at xymon.com
> SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18
>
> With "openssl verify
<certfile>"? Then I'm stumped. If I do that on F17 without my
self-signing CA cert appended to the file pointed to by "certificate=",
I get an error 20. Append the cert, I get an ok. That should emulate
what xymon is doing, I think.
>
> You _did_ have openssl-devel
installed when you built xymon, right?
>
> On 2013-01-25 14:24, Jason
Chambers wrote:
>
>> Yes, I've downloaded the webapp2013 server cert
in pem format and used openssl to verify that it's ok.
>>
>> JASON
CHAMBERS
>> Network Administrator | Geosoft
>> geosoft.com [6] | blog
[7] | twitter [8] | linkedIn [9] | facebook [10] | T +1 416.369.0111
#344 | M +1 416.508.1410
>>
>> Trending topic on Earth Explorer: VOXI
Earth Modelling [11]
>>
>> FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
>>
SENT: January-25-13 1:10 PM
>> TO: xymon at xymon.com
>> SUBJECT: Re:
[Xymon] SSL Error after upgrading to Fedora 18
>>
>> So things are
good with an explicit path to the CA bundle.
>>
>> Are the "[ ca ]"
and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is
the geosoft.crt file included in the file pointed to by "certificate ="
in CA_default? (On my F17 systems that is cacert.pem, which is a slink
to /etc/pki/tls/certs/ca-bundle.crt)
>>
>> On 2013-01-25 12:16, Jason
Chambers wrote:
>>
>>> Not a problem with that.
>>>
>>> * Connected
to webapp2013.geosoft.com (192.168.0.9) port 443 (#0)
>>>
>>> *
Initializing NSS with certpath: sql:/etc/pki/nssdb
>>>
>>> * CAfile:
./geosoft.crt
>>>
>>> CApath: none
>>>
>>> * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
>>>
>>> * Server certificate:
>>>
>>> *
subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
>>>
>>> * start date: Nov 12 17:31:09
2012 GMT
>>>
>>> * expire date: Nov 12 17:31:09 2014 GMT
>>>
>>> *
common name: webapp2013.geosoft.com
>>>
>>> * issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com
>>>
>>> JASON CHAMBERS
>>> Network
Administrator | Geosoft
>>> geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +1 416.369.0111 #344 | M +1
416.508.1410
>>>
>>> Trending topic on Earth Explorer: VOXI Earth
Modelling [11]
>>>
>>> FROM: Ralph Mitchell
[mailto:ralphmitchell at gmail.com]
>>> SENT: January-25-13 11:11 AM
>>>
TO: Jason Chambers
>>> CC: Henrik Størner; xymon at xymon.com
>>> SUBJECT:
Re: [Xymon] SSL Error after upgrading to Fedora 18
>>>
>>> Try handing
curl the CA cert for your internal CA:
>>>
>>> curl -v --cacert
path_to_your_CA_cert.pem https://server.domain.com [12]
>>>
>>> Ralph
Mitchell
>>>
>>> On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers
<Jason.Chambers at geosoft.com> wrote:
>>>
>>>> I think there might be a
bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran
the command you gave me and I'm getting this:
>>>>
>>>>
CONNECTED(00000003)
>>>> write:errno=104
>>>> ---
>>>> no peer
certificate available
>>>> ---
>>>> No client certificate CA names
sent
>>>> ---
>>>> SSL handshake has read 0 bytes and written 172
bytes
>>>> ---
>>>> New, (NONE), Cipher is (NONE)
>>>> Secure
Renegotiation IS NOT supported
>>>> Compression: NONE
>>>> Expansion:
NONE
>>>> ---
>>>>
>>>> Which is suggesting that there isn't an SSL
certificate there. Yet when I curl the location:
>>>>
>>>> curl: (60)
Peer's Certificate issuer is not recognized.
>>>> More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
>>>>
>>>> curl performs SSL
certificate verification by default, using a "bundle"
>>>> of
Certificate Authority (CA) public keys (CA certs). If the default
>>>>
bundle file isn't adequate, you can specify an alternate file
>>>> using
the --cacert option.
>>>> If this HTTPS server uses a certificate signed
by a CA represented in
>>>> the bundle, the certificate verification
probably failed due to a
>>>> problem with the certificate (it might be
expired, or the name might
>>>> not match the domain name in the
URL).
>>>> If you'd like to turn off curl's verification of the
certificate, use
>>>> the -k (or --insecure) option.
>>>>
>>>> Would
this be everyone elses conclusion as well?
>>>>
>>>> Jason
Chambers
>>>> Network Administrator | Geosoft
>>>> geosoft.com [2] |
blog | twitter | linkedIn | facebook | T +1 416.369.0111 #344 [3] | M +1
416.508.1410 [4]
>>>>
>>>> Trending topic on Earth Explorer: VOXI Earth
Modelling
>>>>
>>>> -----Original Message-----
>>>> From:
xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of
Henrik Størner
>>>> Sent: January-25-13 1:38 AM
>>>> To:
xymon at xymon.com
>>>> Subject: Re: [Xymon] SSL Error after upgrading to
Fedora 18
>>>>
>>>> On 24-01-2013 21:43, Jason Chambers wrote:
>>>> > I
just upgraded to Fedora 18, and now servers that have SSL signed by
>>>>
> our internal CA is failing. The http test simply shows "SSL
error"
>>>> > meanwhile our public (GoDaddy) certs aren't causing
issues. Is there a
>>>> > log file I can peer into to find out why I'm
getting these error
>>>> > messages all of a sudden?
>>>>
>>>> No
logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
>>>> This performs a connect and SSL handshake, which
is basically the same as what Xymon does.
>>>>
>>>> I suppose the
standard openssl.cnf is used by OpenSSL when Xymon uses the SSL
libraries. Perhaps some defaults changed in relation to how openssl
performs automatic certificate validation ? Would surprise me,
though.
>>>>
>>>> Regards,
>>>> Henrik
>>>>
>>>>
_______________________________________________
>>>> Xymon mailing
list
>>>> Xymon at xymon.com
>>>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>>>>
_______________________________________________
>>>> Xymon mailing
list
>>>> Xymon at xymon.com
>>>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>>>
>>>
_______________________________________________
>>>
>>> Xymon mailing
list
>>>
>>> Xymon at xymon.com
>>>
>>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>>
>>
_______________________________________________
>>
>> Xymon mailing
list
>>
>> Xymon at xymon.com
>>
>>
http://lists.xymon.com/mailman/listinfo/xymon [5]
>
>
_______________________________________________
> Xymon mailing list
>
Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon [5]
Links:
------
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
http://lists.xymon.com/mailman/listinfo/xymon
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130128/d7174973/attachment.html>
More information about the Xymon
mailing list