Xymon Mailing List Archive search

False SSL cert alerts

list Phil Crooker
Tue, 27 Jun 2017 23:56:16 +0000
Message-Id: <user-269189d62528@xymon.invalid>

Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl:


     openssl s_client -connect hostname:443 -showcerts


You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate.


s_client shows the status of the connection at the bottom:


    Verify return code: 0 (ok)


Not 0 is an error of course.


As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish)


Hope that helps.


But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection?  Is there any place in Xymon I can see why it is failing?

On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>> wrote:
On 6/27/2017 11:17 AM, Zoltan Forray wrote:
We are constantly having issues with sslcert alerts going non-green
eventhough it says the cert is fine.  Related to this is there being an
issue getting to the https page from the Xymon server yet I can access
it just fine from my browser.

Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection?

I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts.

--
   Do things because you should, not just because you can.

John Thurston    XXX-XXX-XXXX<tel:XXX-XXX-XXXX>
user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>
Department of Administration
State of Alaska


--
Zoltan Forray
Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
Xymon Monitor Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
www.ucc.vcu.edu<http://www.ucc.vcu.edu>;
user-755163d80bce@xymon.invalid<mailto:user-755163d80bce@xymon.invalid> - XXX-XXX-XXXX
Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html