Xymon Mailing List Archive search

https failure in 4.3.4, not in 4.2.3

5 messages in this thread

list Paul Root · Wed, 31 Aug 2011 09:25:34 -0500 · 
I upgraded my last xymon server from 4.2.3 to 4.3.4 this morning. It went well, except for one little thing. https tests.

I found that my proxy machines just ran http tests, but my main server runs https tests. An oversight I'm now correcting. How I found this is that my tests are now failing:


red Wed Aug 31 09:21:47 2011: 

red https://iadnasp1.mns.qintra.com/ - 


Seconds:     0.06


If I run a curl on the site, I get:

$ curl https://iadnasp1
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Using the --insecure works correctly.

So, we have an internal CA. So I'm guessing I need to install the CA's certificate of authority to clear this issue up?
Where do I do that?

Paul.


Paul Root    - Engineer III  - Qwest is now CenturyLink


This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
list Henrik Størner · Wed, 31 Aug 2011 21:45:31 +0200 ·
quoted from Paul Root
I upgraded my last xymon server from 4.2.3 to 4.3.4 this morning. It went well, except for one little thing. https tests.
[snip]
If I run a curl on the site, I get:

$ curl https://iadnasp1
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[snip]
So, we have an internal CA. So I'm guessing I need to install the CA's certificate of authority to clear this issue up?
No, you don't. Xymon doesn't perform validation of certificate chains like curl does - essentially, Xymon behaves like curl with the "--insecure" option.

Try running "xymonnet --version" to see if it is able to load the SSL library at all - you should see the SSL library version listed. If that doesn't give you a clue, run "xymoncmd xymonnet --debug HOSTNAME" and see what details it gives about why it cannot connect to the site.


Regards,
Henrik
list Paul Root · Wed, 31 Aug 2011 15:57:14 -0500 · 
Hmm, xymonnet --version doesn't give me much:

$ xymonnet --version
xymonnet version 4.3.4


I just found that the server I built 4.3.4 on doesn't have the openssl-devel rpm installed.

So, I need to rebuild that.

Then I should be able to do a make install over the top, and it won't mess up my configuration files right? (/etc/xymon)


Paul Root    - Engineer III  - Qwest is now CenturyLink


-----Original Message-----
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On
Behalf Of Henrik Størner
Sent: Wednesday, August 31, 2011 2:46 PM
To: xymon at xymon.com
Subject: Re: [Xymon] https failure in 4.3.4, not in 4.2.3
quoted from Henrik Størner
I upgraded my last xymon server from 4.2.3 to 4.3.4 this morning. It
went well, except for one little thing. https tests.
[snip]
If I run a curl on the site, I get:

$ curl https://iadnasp1
curl: (60) SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
[snip]
So, we have an internal CA. So I'm guessing I need to install the
CA's certificate of authority to clear this issue up?

No, you don't. Xymon doesn't perform validation of certificate chains
like curl does - essentially, Xymon behaves like curl with the
"--insecure" option.

Try running "xymonnet --version" to see if it is able to load the SSL
library at all - you should see the SSL library version listed. If that
doesn't give you a clue, run "xymoncmd xymonnet --debug HOSTNAME" and
see what details it gives about why it cannot connect to the site.


Regards,
Henrik

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
list Henrik Størner · Wed, 31 Aug 2011 22:59:04 +0200 ·
quoted from Paul Root
Hmm, xymonnet --version doesn't give me much:

$ xymonnet --version
xymonnet version 4.3.4
Nope, this version of xymonnet was built without openssl support.

I just found that the server I built 4.3.4 on doesn't have the openssl-devel rpm installed.
Figures.
quoted from Paul Root
So, I need to rebuild that.

Then I should be able to do a make install over the top, and it won't mess up my configuration files right? (/etc/xymon)
Correct. If it makes you more comfortable, you can just copy the 
xymonnet binary into ~xymon/server/bin/


Regards,
Henrik
list Paul Root · Wed, 31 Aug 2011 16:05:22 -0500 · 
Thanks Henrik!

Paul Root    - Engineer III  - Qwest is now CenturyLink


-----Original Message-----
From: Henrik Størner [mailto:user-ce4a2c883f75@xymon.invalid]
Sent: Wednesday, August 31, 2011 3:59 PM
To: Root, Paul
Cc: xymon at xymon.com
Subject: Re: [Xymon] https failure in 4.3.4, not in 4.2.3

Hmm, xymonnet --version doesn't give me much:

$ xymonnet --version
xymonnet version 4.3.4
Nope, this version of xymonnet was built without openssl support.

I just found that the server I built 4.3.4 on doesn't have the
openssl-devel rpm installed.
Figures.

So, I need to rebuild that.

Then I should be able to do a make install over the top, and it won't
mess up my configuration files right? (/etc/xymon)
Correct. If it makes you more comfortable, you can just copy the
xymonnet binary into ~xymon/server/bin/


Regards,
Henrik
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.