With "openssl verify <certfile>"? Then I'm stumped. If I do that on
F17 without my self-signing CA cert appended to the file pointed to by
"certificate=", I get an error 20. Append the cert, I get an ok. That
should emulate what xymon is doing, I think.
You _did_ have
openssl-devel installed when you built xymon, right?
On 2013-01-25
14:24, Jason Chambers wrote:
Yes, I've downloaded the webapp2013
server cert in pem format and used openssl to verify that it's ok.
Jason Chambers
Network Administrator | Geosoft
geosoft.com [6] |
blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1
XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth
Explorer: VOXI Earth Modelling [11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT:
January-25-13 1:10 PM
TO: xymon at xymon.com
SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18
So things are good with an
explicit path to the CA bundle.
Are the "[ ca ]" and " [
CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the
geosoft.crt file included in the file pointed to by "certificate =" in
CA_default? (On my F17 systems that is cacert.pem, which is a slink to
/etc/pki/tls/certs/ca-bundle.crt)
On 2013-01-25 12:16, Jason
Chambers wrote:
Not a problem with that.
* Connected to
webapp2013.geosoft.com (192.168.0.9) port 443 (#0)
*
Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile:
./geosoft.crt
CApath: none
* SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
• subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
* start date: Nov 12 17:31:09
2012 GMT
* expire date: Nov 12 17:31:09 2014 GMT
• common name: webapp2013.geosoft.com
* issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com
JASON CHAMBERS
Network Administrator |
Geosoft
geosoft.com [6] | blog [7] | twitter [8] | linkedIn [9] |
facebook [10] | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth Modelling [11]
FROM: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
SENT:
January-25-13 11:11 AM
TO: Jason Chambers
CC: Henrik Størner;
SUBJECT: Re: [Xymon] SSL Error after upgrading to
Fedora 18
Try handing curl the CA cert for your internal CA:
curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com
[12]
Ralph Mitchell
On Fri, Jan 25, 2013 at 10:27 AM,
Jason Chambers <user-3fa671c0a30d@xymon.invalid> wrote:
I think
there might be a bug in OpenSSL in this build of Fedora 18 (which I have
updated.) I ran the command you gave me and I'm getting this:
CONNECTED(00000003)
write:errno=104
---
no peer certificate
available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 172 bytes
---
New,
(NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Which is
suggesting that there isn't an SSL certificate there. Yet when I curl
the location:
curl: (60) Peer's Certificate issuer is not
recognized.
More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
curl performs SSL
certificate verification by default, using a "bundle"
of Certificate
Authority (CA) public keys (CA certs). If the default
bundle file
isn't adequate, you can specify an alternate file
using the --cacert
option.
If this HTTPS server uses a certificate signed by a CA
represented in
the bundle, the certificate verification probably
failed due to a
problem with the certificate (it might be expired,
or the name might
not match the domain name in the URL).
If
you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Would this be everyone elses
conclusion as well?
Jason Chambers
Network Administrator |
Geosoft
geosoft.com [2] | blog | twitter | linkedIn | facebook | T
+X XXX.XXX.XXXX #344 [3] | M +X XXX.XXX.XXXX [4]
Trending topic
on Earth Explorer: VOXI Earth Modelling
-----Original
Message-----
From: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent:
January-25-13 1:38 AM
To: xymon at xymon.com
Subject: Re: [Xymon]
SSL Error after upgrading to Fedora 18
On 24-01-2013 21:43,
Jason Chambers wrote:
I just upgraded to Fedora 18, and now
servers that have SSL signed by
our internal CA is failing. The
http test simply shows "SSL error"
meanwhile our public (GoDaddy)
certs aren't causing issues. Is there a
log file I can peer into
to find out why I'm getting these error
messages all of a
sudden?
No logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
This performs a connect and SSL handshake, which is
basically the same as what Xymon does.
I suppose the standard
openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries.
Perhaps some defaults changed in relation to how openssl performs
automatic certificate validation ? Would surprise me, though.
Regards,
Henrik
Xymon mailing
list
Xymon mailing
list
Xymon mailing
list
Links:
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com