SSL Error after upgrading to Fedora 18
list Jason Chambers
Hi all, I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden? Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>;
list Josh Luthman
Make sure ssl.conf is correct. This really isn't the place for an Apache discussion, however. You're looking more for httpd support - http://httpd.apache.org/support.html Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX On Thu, Jan 24, 2013 at 3:43 PM, Jason Chambers
▸
<user-3fa671c0a30d@xymon.invalid>wrote:
Hi all,**** ** ** I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows “SSL error” meanwhile our public (GoDaddy) certs aren’t causing issues. Is there a log file I can peer into to find out why I’m getting these error messages all of a sudden? **** ** ** *Jason Chambers *Network Administrator | Geosoft
geosoft.com <http://www.geosoft.com/>; | blog <http://blogs.geosoft.com/>| twitter <http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>| facebook <http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>; **** ** **
list Ralph Mitchell
It sounds like perhaps your internal CA certificate(s) are no longer available for xymon to validate the server certificates. I don't have a Fedora18 installation handy right now, but looking at CentOS 6, the CA cert bundle is part of the ca-certificates RPM: /etc/pki/tls/certs/ca-bundle.crt You could try adding your CA cert pem file to the end of that file, or wherever the bundle lives. Ralph Mitchell
▸
On Thu, Jan 24, 2013 at 3:43 PM, Jason Chambers
<user-3fa671c0a30d@xymon.invalid>wrote:
Hi all,**** ** ** I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows “SSL error” meanwhile our public (GoDaddy) certs aren’t causing issues. Is there a log file I can peer into to find out why I’m getting these error messages all of a sudden? **** ** ** *Jason Chambers *Network Administrator | Geosoft geosoft.com <http://www.geosoft.com/>; | blog <http://blogs.geosoft.com/>| twitter <http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>| facebook <http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>; **** ** **
list Another Xymon User
This looks odd. I thought I remembered Henrik saying that xymon doesn't test ca chains, and found this: ">_ So, we have an internal CA. So I'm guessing I need to install the CA's certificate of authority to clear this issue up? _ No, you don't. Xymon doesn't perform validation of certificate chains like curl does - essentially, Xymon behaves like curl with the "--insecure" option. Try running "xymonnet --version" to see if it is able to load the SSL library at all - you should see the SSL library version listed. If that doesn't give you a clue, run "xymoncmd xymonnet --debug HOSTNAME" and see what details it gives about why it cannot connect to the site." (http://lists.xymon.com/pipermail/xymon/2011-August/032384.html) But the problem in that instance was the openssl libraries not being linked into xymon, and if that were Jason's case I'd expect the godaddy certs to be failed as well. In any case, the diagnostics Henrik calls out might give a clue.
▸
On 2013-01-24 19:39, Ralph Mitchell wrote:
It sounds like perhaps your internal CA certificate(s) are no longer available for xymon to validate the server certificates. I don't have a
Fedora18 installation handy right now, but looking at CentOS 6, the CA cert bundle is part of the ca-certificates RPM:
/etc/pki/tls/certs/ca-bundle.crt
You could try adding your CA cert pem file to the end of that file, or wherever the bundle lives.
Ralph Mitchell
On Thu, Jan 24, 2013 at 3:43 PM, Jason Chambers
<user-3fa671c0a30d@xymon.invalid> wrote:
Hi all, I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden? Jason Chambers Network Administrator | Geosoft
geosoft.com [1] | blog [2] | twitter [3] | linkedIn [4] | facebook [5] | T +X XXX.XXX.XXXX #344 [6] | M +X XXX.XXX.XXXX [7]
Trending topic on Earth Explorer: VOXI Earth Modelling [8]Xymon mailing list
[9] Links: [1] http://www.geosoft.com/ [2] http://blogs.geosoft.com/ [3] http://twitter.com/geosoft [4] http://www.linkedin.com/company/geosoft-inc. [5] http://www.facebook.com/GeosoftInc [6] tel:%2B1%20416.369.0111%20%23344 [7] tel:%2B1%20416.508.1410 [8] http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp [9]
list Henrik Størner
▸
On 24-01-2013 21:43, Jason Chambers wrote:
I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows “SSL error” meanwhile our public (GoDaddy) certs aren’t causing issues. Is there a log file I can peer into to find out why I’m getting these error messages all of a sudden?
No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Jason Chambers
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft geosoft.com | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
▸
Trending topic on Earth Explorer: VOXI Earth Modelling
-----Original Message-----
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: January-25-13 1:38 AM
To: xymon at xymon.com
Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18
On 24-01-2013 21:43, Jason Chambers wrote:I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?
No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Ralph Mitchell
Try handing curl the CA cert for your internal CA:
curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com
Ralph Mitchell
On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers <user-3fa671c0a30d@xymon.invalid▸
wrote:
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft geosoft.com | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling -----Original Message----- From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: January-25-13 1:38 AM To: xymon at xymon.com Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 On 24-01-2013 21:43, Jason Chambers wrote:I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Jason Chambers
Not a problem with that. * Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: ./geosoft.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA * Server certificate: * subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft Inc.,L=Toronto,ST=Ontario,C=CA * start date: Nov 12 17:31:09 2012 GMT * expire date: Nov 12 17:31:09 2014 GMT * common name: webapp2013.geosoft.com * issuer: CN=Geosoft Inc.,DC=geosoft,DC=com
▸
Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>;
▸
From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid] Sent: January-25-13 11:11 AM To: Jason Chambers Cc: Henrik Størner; xymon at xymon.com Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 Try handing curl the CA cert for your internal CA: curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com Ralph Mitchell On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers <user-3fa671c0a30d@xymon.invalid<mailto:user-3fa671c0a30d@xymon.invalid>> wrote: I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft
geosoft.com<http://geosoft.com>; | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344<tel:%2B1%20416.369.0111%20%23344> | M +X XXX.XXX.XXXX<tel:%2B1%20416.508.1410>
▸
Trending topic on Earth Explorer: VOXI Earth Modelling
-----Original Message-----
From: xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com> [mailto:xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>] On Behalf Of Henrik Størner
Sent: January-25-13 1:38 AM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18
On 24-01-2013 21:43, Jason Chambers wrote:I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?
No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Another Xymon User
So things are good with an explicit path to the CA bundle. Are the "[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the geosoft.crt file included in the file pointed to by "certificate =" in CA_default? (On my F17 systems that is cacert.pem, which is a slink to /etc/pki/tls/certs/ca-bundle.crt) On 2013-01-25
▸
12:16, Jason Chambers wrote:
Not a problem with that. *
Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0)
*
Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile:
./geosoft.crt
CApath: none * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: • subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
* start date: Nov 12 17:31:09 2012
GMT
* expire date: Nov 12 17:31:09 2014 GMT * common name:
webapp2013.geosoft.com
* issuer: CN=Geosoft Inc.,DC=geosoft,DC=com
Jason Chambers Network Administrator | Geosoft
geosoft.com [6]| blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1 XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth
Explorer: VOXI Earth Modelling [11]
▸
FROM: Ralph Mitchell
[mailto:user-00a5e44c48c0@xymon.invalid]
SENT: January-25-13 11:11 AM TO:
Jason Chambers
CC: Henrik Størner; xymon at xymon.com SUBJECT: Re:
[Xymon] SSL Error after upgrading to Fedora 18
Try handing curl the CA cert for your internal CA: curl -v --cacert
path_to_your_CA_cert.pem https://server.domain.com [12]
▸
RalphMitchell
On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers
<user-3fa671c0a30d@xymon.invalid> wrote:
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003)
write:errno=104
--- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE Expansion:
NONE
--- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60)
Peer's Certificate issuer is not recognized.
More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
▸
curl performs SSL certificate verification by default, using a "bundle" of Certificate
Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k
(or --insecure) option.
Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft
geosoft.com [2] | blog | twitter | linkedIn | facebook | T +1 XXX.XXX.XXXX #344 [3] | M +X XXX.XXX.XXXX [4]
▸
Trending topic on
Earth Explorer: VOXI Earth Modelling
-----Original
Message-----
From: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent:
January-25-13 1:38 AM
To: xymon at xymon.com Subject: Re: [Xymon] SSL
Error after upgrading to Fedora 18
On 24-01-2013 21:43, Jason
Chambers wrote:
I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why
I'm getting these error
messages all of a sudden?No logfile, but try running "openssl s_client -connect IPADDRESS:PORT".
This performs a connect and SSL handshake, which is basically the same as what Xymon does.
I suppose the standard openssl.cnf is used by
OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though.
Regards, Henrik
Xymon mailing list
[5] Links: [1] http://curl.haxx.se/docs/sslcerts.html [2] http://geosoft.com [3] tel:%2B1%20416.369.0111%20%23344 [4] tel:%2B1%20416.508.1410 [5] [6] http://www.geosoft.com/ [7] http://blogs.geosoft.com/ [8] http://twitter.com/geosoft [9] http://www.linkedin.com/company/geosoft-inc. [10] http://www.facebook.com/GeosoftInc [11] http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp [12] https://server.domain.com
list Jason Chambers
Yes, I’ve downloaded the webapp2013 server cert in pem format and used openssl to verify that it’s ok.
▸
Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>;
▸
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Another Xymon User Sent: January-25-13 1:10 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 So things are good with an explicit path to the CA bundle. Are the "[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the geosoft.crt file included in the file pointed to by "certificate =" in CA_default? (On my F17 systems that is cacert.pem, which is a slink to /etc/pki/tls/certs/ca-bundle.crt) On 2013-01-25 12:16, Jason Chambers wrote: Not a problem with that. * Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: ./geosoft.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA * Server certificate: * subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft Inc.,L=Toronto,ST=Ontario,C=CA * start date: Nov 12 17:31:09 2012 GMT * expire date: Nov 12 17:31:09 2014 GMT * common name: webapp2013.geosoft.com * issuer: CN=Geosoft Inc.,DC=geosoft,DC=com Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>; From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid] Sent: January-25-13 11:11 AM To: Jason Chambers Cc: Henrik Størner; xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 Try handing curl the CA cert for your internal CA: curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com Ralph Mitchell On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers <user-3fa671c0a30d@xymon.invalid<mailto:user-3fa671c0a30d@xymon.invalid>> wrote: I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft geosoft.com<http://geosoft.com>; | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344<tel:%2B1%20416.369.0111%20%23344> | M +X XXX.XXX.XXXX<tel:%2B1%20416.508.1410> Trending topic on Earth Explorer: VOXI Earth Modelling -----Original Message----- From: xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com> [mailto:xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>] On Behalf Of Henrik Størner Sent: January-25-13 1:38 AM To: xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 On 24-01-2013 21:43, Jason Chambers wrote:
I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?
No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Another Xymon User
With "openssl verify <certfile>"? Then I'm stumped. If I do that on F17 without my self-signing CA cert appended to the file pointed to by "certificate=", I get an error 20. Append the cert, I get an ok. That should emulate what xymon is doing, I think. You _did_ have openssl-devel installed when you built xymon, right? On 2013-01-25
▸
14:24, Jason Chambers wrote:
Yes, I've downloaded the webapp2013 server cert in pem format and used openssl to verify that it's ok.
Jason Chambers
Network Administrator | Geosoft geosoft.com [6] | blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +1
XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth
Explorer: VOXI Earth Modelling [11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT:
January-25-13 1:10 PM
TO: xymon at xymon.com SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18
So things are good with an explicit path to the CA bundle. Are the "[ ca ]" and " [
CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the geosoft.crt file included in the file pointed to by "certificate =" in CA_default? (On my F17 systems that is cacert.pem, which is a slink to /etc/pki/tls/certs/ca-bundle.crt)
On 2013-01-25 12:16, Jason
Chambers wrote:
Not a problem with that. * Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) *
Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile:
./geosoft.crt
CApath: none * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: • subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
* start date: Nov 12 17:31:09
2012 GMT
* expire date: Nov 12 17:31:09 2014 GMT • common name: webapp2013.geosoft.com * issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com
JASON CHAMBERS Network Administrator |
Geosoft
geosoft.com [6] | blog [7] | twitter [8] | linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth Modelling [11]
FROM: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
SENT:
January-25-13 11:11 AM
TO: Jason Chambers CC: Henrik Størner; SUBJECT: Re: [Xymon] SSL Error after upgrading to
Fedora 18
Try handing curl the CA cert for your internal CA:
curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com
[12]
Ralph Mitchell On Fri, Jan 25, 2013 at 10:27 AM,
Jason Chambers <user-3fa671c0a30d@xymon.invalid> wrote:
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this:
CONNECTED(00000003)
write:errno=104 --- no peer certificate available --- No client certificate CA names sent ---
SSL handshake has read 0 bytes and written 172 bytes
--- New,
(NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
curl performs SSL certificate verification by default, using a "bundle" of Certificate
Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Would this be everyone elses conclusion as well? Jason Chambers Network Administrator |
Geosoft
geosoft.com [2] | blog | twitter | linkedIn | facebook | T
+X XXX.XXX.XXXX #344 [3] | M +X XXX.XXX.XXXX [4]
Trending topic on Earth Explorer: VOXI Earth Modelling -----Original
Message-----
From: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent:
January-25-13 1:38 AM
To: xymon at xymon.com Subject: Re: [Xymon]
SSL Error after upgrading to Fedora 18
On 24-01-2013 21:43,
Jason Chambers wrote:
I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?No logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries.
Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though.
Regards,
Henrik Xymon mailing list
Xymon mailing listXymon mailing list
▸
Links: [1] http://curl.haxx.se/docs/sslcerts.html [2] http://geosoft.com [3] tel:%2B1%20416.369.0111%20%23344 [4] tel:%2B1%20416.508.1410 [5] [6] http://www.geosoft.com/ [7] http://blogs.geosoft.com/ [8] http://twitter.com/geosoft [9] http://www.linkedin.com/company/geosoft-inc. [10] http://www.facebook.com/GeosoftInc [11] http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp [12] https://server.domain.com
list Jason Chambers
Yep. Openssl-devel-1:1.0.1c-7.fc18. Plus all of our GoDaddy certs are validating fine. Just our Windows CA signed cert on this web server isn’t.
▸
Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>;
▸
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Another Xymon User Sent: January-25-13 4:09 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 With "openssl verify <certfile>"? Then I'm stumped. If I do that on F17 without my self-signing CA cert appended to the file pointed to by "certificate=", I get an error 20. Append the cert, I get an ok. That should emulate what xymon is doing, I think. You _did_ have openssl-devel installed when you built xymon, right? On 2013-01-25 14:24, Jason Chambers wrote: Yes, I’ve downloaded the webapp2013 server cert in pem format and used openssl to verify that it’s ok. Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>; From: xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com> [mailto:xymon-bounces at xymon.com] On Behalf Of Another Xymon User Sent: January-25-13 1:10 PM To: xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 So things are good with an explicit path to the CA bundle. Are the "[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the geosoft.crt file included in the file pointed to by "certificate =" in CA_default? (On my F17 systems that is cacert.pem, which is a slink to /etc/pki/tls/certs/ca-bundle.crt) On 2013-01-25 12:16, Jason Chambers wrote: Not a problem with that. * Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: ./geosoft.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA * Server certificate: * subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft Inc.,L=Toronto,ST=Ontario,C=CA * start date: Nov 12 17:31:09 2012 GMT * expire date: Nov 12 17:31:09 2014 GMT * common name: webapp2013.geosoft.com * issuer: CN=Geosoft Inc.,DC=geosoft,DC=com Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>; From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid] Sent: January-25-13 11:11 AM To: Jason Chambers Cc: Henrik Størner; xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 Try handing curl the CA cert for your internal CA: curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com Ralph Mitchell On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers <user-3fa671c0a30d@xymon.invalid<mailto:user-3fa671c0a30d@xymon.invalid>> wrote: I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this: CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason Chambers Network Administrator | Geosoft geosoft.com<http://geosoft.com>; | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344<tel:%2B1%20416.369.0111%20%23344> | M +X XXX.XXX.XXXX<tel:%2B1%20416.508.1410> Trending topic on Earth Explorer: VOXI Earth Modelling -----Original Message----- From: xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com> [mailto:xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>] On Behalf Of Henrik Størner Sent: January-25-13 1:38 AM To: xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18 On 24-01-2013 21:43, Jason Chambers wrote:
I just upgraded to Fedora 18, and now servers that have SSL signed by our internal CA is failing. The http test simply shows "SSL error" meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?
No logfile, but try running "openssl s_client -connect IPADDRESS:PORT". This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik
list Another Xymon User
See, the baffling thing is that it's only with xymon verification, not with openssl command line. xymon's somehow using a ca-bundle that does not have your self-signing cert in it. But since xymon doesn't have a configuration construct for pointing to a ca-bundle, it's taking a default. I would expect that to be the same default that "openssl verify <certfile>" takes. Oh, well. Hope you can figure it out. On 2013-01-28
▸
8:48, Jason Chambers wrote:
Yep. Openssl-devel-1:1.0.1c-7.fc18. Plus all of our GoDaddy certs are validating fine. Just our Windows CA signed cert on this web server isn't. Jason Chambers Network
Administrator | Geosoft
geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +1▸
XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth Modelling
[11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT:
January-25-13 4:09 PM
TO: xymon at xymon.com SUBJECT: Re: [Xymon] SSL
Error after upgrading to Fedora 18
With "openssl verify
<certfile>"? Then I'm stumped. If I do that on F17 without my self-signing CA cert appended to the file pointed to by "certificate=", I get an error 20. Append the cert, I get an ok. That should emulate what xymon is doing, I think.
You _did_ have openssl-devel installed when you built xymon, right? On 2013-01-25 14:24, Jason
Chambers wrote:
Yes, I've downloaded the webapp2013 server cert in pem format and used openssl to verify that it's ok. JASON
CHAMBERS
Network Administrator | Geosoft geosoft.com [6] | blog
[7] | twitter [8] | linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI
Earth Modelling [11]
FROM: xymon-bounces at xymon.com
[mailto:xymon-bounces at xymon.com] ON BEHALF OF Another Xymon User
SENT: January-25-13 1:10 PM
TO: xymon at xymon.com SUBJECT: Re:
[Xymon] SSL Error after upgrading to Fedora 18
So things are good with an explicit path to the CA bundle. Are the "[ ca ]" and " [ CA_default ]" sections in /etc/pki/tls/openssl.cnf correct? Is the geosoft.crt file included in the file pointed to by "certificate =" in CA_default? (On my F17 systems that is cacert.pem, which is a slink to /etc/pki/tls/certs/ca-bundle.crt) On 2013-01-25 12:16, Jason
Chambers wrote:
Not a problem with that. * Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0) *
Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile:
./geosoft.crt
CApath: none * SSL connection using
TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: • subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft
Inc.,L=Toronto,ST=Ontario,C=CA
* start date: Nov 12 17:31:09
2012 GMT
* expire date: Nov 12 17:31:09 2014 GMT • common name: webapp2013.geosoft.com * issuer: CN=Geosoft
Inc.,DC=geosoft,DC=com
JASON CHAMBERS Network
Administrator | Geosoft
geosoft.com [6] | blog [7] | twitter [8] |
linkedIn [9] | facebook [10] | T +X XXX.XXX.XXXX #344 | M +1
▸
XXX.XXX.XXXX
Trending topic on Earth Explorer: VOXI Earth
Modelling [11]
FROM: Ralph Mitchell
[mailto:user-00a5e44c48c0@xymon.invalid]
SENT: January-25-13 11:11 AM
TO: Jason Chambers
CC: Henrik Størner; xymon at xymon.com SUBJECT:
Re: [Xymon] SSL Error after upgrading to Fedora 18
Try handing curl the CA cert for your internal CA: curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com [12] Ralph
Mitchell
On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers
<user-3fa671c0a30d@xymon.invalid> wrote:
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this:
CONNECTED(00000003)
write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 172 bytes --- New, (NONE), Cipher is (NONE) Secure
Renegotiation IS NOT supported
Compression: NONE Expansion:
NONE
--- Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location: curl: (60)
Peer's Certificate issuer is not recognized.
More details here:
http://curl.haxx.se/docs/sslcerts.html [1]
curl performs SSL certificate verification by default, using a "bundle" of
Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the
URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Would this be everyone elses conclusion as well? Jason
Chambers
Network Administrator | Geosoft geosoft.com [2] |
blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 [3] | M +1
▸
XXX.XXX.XXXX [4]
Trending topic on Earth Explorer: VOXI Earth
Modelling
-----Original Message----- From:
xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: January-25-13 1:38 AM To: Subject: Re: [Xymon] SSL Error after upgrading to
Fedora 18
On 24-01-2013 21:43, Jason Chambers wrote:I just upgraded to Fedora 18, and now servers that have SSL signed byour internal CA is failing. The http test simply shows "SSL error"meanwhile our public (GoDaddy) certs aren't causing issues. Is there a log file I can peer into to find out why I'm getting these error messages all of a sudden?No logfile, but try running "openssl s_client -connect
IPADDRESS:PORT".
This performs a connect and SSL handshake, which is basically the same as what Xymon does. I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though. Regards, Henrik Xymon mailing list Xymon mailing listXymon mailing listXymon mailing list
Links: [1] http://curl.haxx.se/docs/sslcerts.html [2] http://geosoft.com [3] tel:%2B1%20416.369.0111%20%23344 [4] tel:%2B1%20416.508.1410 [5] [6] http://www.geosoft.com/ [7] http://blogs.geosoft.com/ [8] http://twitter.com/geosoft [9] http://www.linkedin.com/company/geosoft-inc. [10] http://www.facebook.com/GeosoftInc [11] http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp [12] https://server.domain.com
list Jason Chambers
Looks like Xymon is using a Cypher not supported by my server… Found this: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. Anyone have a suggestion for a fix?
▸
Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
▸
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Another Xymon User
Sent: January 28, 2013 1:35 PM
To: xymon at xymon.com
Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18
See, the baffling thing is that it's only with xymon verification, not with openssl command line. xymon's somehow using a ca-bundle that does not have your self-signing cert in it. But since xymon doesn't have a configuration construct for pointing to a ca-bundle, it's taking a default. I would expect that to be the same default that "openssl verify <certfile>" takes. Oh, well. Hope you can figure it out.