See, the baffling thing is that it's only with xymon verification,
not with openssl command line. xymon's somehow using a ca-bundle that
does not have your self-signing cert in it. But since xymon doesn't have
a configuration construct for pointing to a ca-bundle, it's taking a
default. I would expect that to be the same default that "openssl verify
<certfile>" takes. Oh, well. Hope you can figure it out.
On 2013-01-28
8:48, Jason Chambers wrote:
Yep. Openssl-devel-1:1.0.1c-7.fc18. Plus
all of our GoDaddy certs are validating fine. Just our Windows CA signed
cert on this web server isn't.
Jason Chambers
Network
Administrator | Geosoft
geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +1
XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth Modelling
[11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT:
January-25-13 4:09 PM
TO: xymon at xymon.com
SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18
With "openssl verify
<certfile>"? Then I'm stumped. If I do that on F17 without my
self-signing CA cert appended to the file pointed to by "certificate=",
I get an error 20. Append the cert, I get an ok. That should emulate
what xymon is doing, I think.
You _did_ have openssl-devel
installed when you built xymon, right?
On 2013-01-25 14:24, Jason
Chambers wrote:
Yes, I've downloaded the webapp2013 server cert
in pem format and used openssl to verify that it's ok.
JASON
CHAMBERS
Network Administrator | Geosoft
geosoft.com [6] | blog
[7] | twitter [8] | linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX
#344 | M +X XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI
Earth Modelling [11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT: January-25-13 1:10 PM
TO: xymon at xymon.com
SUBJECT: Re:
[Xymon] SSL Error after upgrading to Fedora 18
So things are
good with an explicit path to the CA bundle.
Are the "[ ca ]"
and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is
the geosoft.crt file included in the file pointed to by "certificate ="
in CA_default? (On my F17 systems that is cacert.pem, which is a slink
to /etc/pki/tls/certs/ca-bundle.crt)
On 2013-01-25 12:16, Jason
Chambers wrote:
Not a problem with that.
* Connected
to webapp2013.geosoft.com (192.168.0.9) port 443 (#0)
*
Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile:
./geosoft.crt
CApath: none
* SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
• subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
* start date: Nov 12 17:31:09
2012 GMT
* expire date: Nov 12 17:31:09 2014 GMT
• common name: webapp2013.geosoft.com
* issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com
JASON CHAMBERS
Network
Administrator | Geosoft
geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +1
XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth
Modelling [11]
FROM: Ralph Mitchell
[mailto:user-00a5e44c48c0@xymon.invalid]
SENT: January-25-13 11:11 AM
TO: Jason Chambers
CC: Henrik Størner; xymon at xymon.com
SUBJECT:
Re: [Xymon] SSL Error after upgrading to Fedora 18
Try handing
curl the CA cert for your internal CA:
curl -v --cacert
path_to_your_CA_cert.pem https://server.domain.com [12]
Ralph
Mitchell
On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers
<user-3fa671c0a30d@xymon.invalid> wrote:
I think there might be a
bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran
the command you gave me and I'm getting this:
CONNECTED(00000003)
write:errno=104
---
no peer
certificate available
---
No client certificate CA names
sent
---
SSL handshake has read 0 bytes and written 172
bytes
---
New, (NONE), Cipher is (NONE)
Secure
Renegotiation IS NOT supported
Compression: NONE
Expansion:
NONE
---
Which is suggesting that there isn't an SSL
certificate there. Yet when I curl the location:
curl: (60)
Peer's Certificate issuer is not recognized.
More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
curl performs SSL
certificate verification by default, using a "bundle"
of
Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using
the --cacert option.
If this HTTPS server uses a certificate signed
by a CA represented in
the bundle, the certificate verification
probably failed due to a
problem with the certificate (it might be
expired, or the name might
not match the domain name in the
URL).
If you'd like to turn off curl's verification of the
certificate, use
the -k (or --insecure) option.
Would
this be everyone elses conclusion as well?
Jason
Chambers
Network Administrator | Geosoft
geosoft.com [2] |
blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 [3] | M +1
XXX.XXX.XXXX [4]
Trending topic on Earth Explorer: VOXI Earth
Modelling
-----Original Message-----
From:
xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of
Henrik Størner
Sent: January-25-13 1:38 AM
To:
Subject: Re: [Xymon] SSL Error after upgrading to
Fedora 18
On 24-01-2013 21:43, Jason Chambers wrote:
I
just upgraded to Fedora 18, and now servers that have SSL signed by
our internal CA is failing. The http test simply shows "SSL
error"
meanwhile our public (GoDaddy) certs aren't causing
issues. Is there a
log file I can peer into to find out why I'm
getting these error
messages all of a sudden?
No
logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
This performs a connect and SSL handshake, which
is basically the same as what Xymon does.
I suppose the
standard openssl.cnf is used by OpenSSL when Xymon uses the SSL
libraries. Perhaps some defaults changed in relation to how openssl
performs automatic certificate validation ? Would surprise me,
though.
Regards,
Henrik
Xymon mailing
list
Xymon mailing
list
Xymon mailing
list
Xymon mailing
list
Links:
[1] http://curl.haxx.se/docs/sslcerts.html
[2]
http://geosoft.com
[3] tel:%2B1%20416.369.0111%20%23344
[4]
tel:%2B1%20416.508.1410
[5]
[6]
http://www.geosoft.com/
[7] http://blogs.geosoft.com/
[8]
http://twitter.com/geosoft
[9]
http://www.linkedin.com/company/geosoft-inc.
[10]
http://www.facebook.com/GeosoftInc
[11]
http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp
[12]
https://server.domain.com