False SSL cert alerts
list Zoltan Forray
We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser. The latest one is an http only check - no Xymon client. The host file shows: 128.172.23.196 https:quikfm.vcu.edu # testip https://quikfm.vcu.edu Page is fully accessible. sslcert page says: Mon Jun 26 06:06:48 2017 [image: green] SSL certificate for https://quikfm.vcu.edu/ expires in 315 days Server certificate: subject:/C=US/postalCode=23284/ST=VA/L=Richmond/street=box 843059/street=701 W Broad Street/O=Virginia Commonwealth University/OU=Business Applications support/CN=quikfm.vcu.edu start date: 2015-05-08 00:00:00 GMT expire date:2018-05-07 23:59:59 GMT key size:2048 issuer:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA To make matters even more confusing, I flushed out all history and now the sslcert info isn't there and it still says there is an SSL error. How can I figure out why I get SSL ERROR ? Any help would be appreciated in figuring this out. Xymon server is at 4.3.19. -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX <(804)%20828-4807> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list John Thurston
▸
On 6/27/2017 11:17 AM, Zoltan Forray wrote:
We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser.
Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection?
I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list Zoltan Forray
But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection? Is there any place in Xymon I can see why it is failing? On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid>
▸
wrote:
On 6/27/2017 11:17 AM, Zoltan Forray wrote:We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser.Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection? I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska
-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Jeremy Laidman
Can you run tcpdump and give it the private key to see what's happening? Maybe run xymonnet manually with debugging enabled?
▸
On 28 Jun. 2017 05:59, "Zoltan Forray" <user-755163d80bce@xymon.invalid> wrote:
But now it simply refuses to get a valid https connection from the Xymon
server eventhough you can web-browse to it with no issues and the browser
says there is a valid https/cert/connection? Is there any place in Xymon I
can see why it is failing?
On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid>
wrote:
On 6/27/2017 11:17 AM, Zoltan Forray wrote:We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser.Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection? I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska
-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Phil Crooker
Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl:
openssl s_client -connect hostname:443 -showcerts
You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate.
s_client shows the status of the connection at the bottom:
Verify return code: 0 (ok)
Not 0 is an error of course.
As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish)
Hope that helps.
▸
But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection? Is there any place in Xymon I can see why it is failing?
On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>> wrote:
On 6/27/2017 11:17 AM, Zoltan Forray wrote:
We are constantly having issues with sslcert alerts going non-green
eventhough it says the cert is fine. Related to this is there being an
issue getting to the https page from the Xymon server yet I can access
it just fine from my browser.
Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection?
I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX<tel:XXX-XXX-XXXX>
user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>
▸
Department of Administration
State of Alaska
--
Zoltan Forray
Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
Xymon Monitor Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Serviceswww.ucc.vcu.edu<http://www.ucc.vcu.edu>; user-755163d80bce@xymon.invalid<mailto:user-755163d80bce@xymon.invalid> - XXX-XXX-XXXX
▸
Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Zoltan Forray
Thanks for the help and the command. However, since I know very little about certs, here is the results: [xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443 -showcerts CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Tue, Jun 27, 2017 at 7:56 PM, Phil Crooker <user-e8e31cd73303@xymon.invalid>
▸
wrote:
Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl: openssl s_client -connect hostname:443 -showcerts You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate. s_client shows the status of the connection at the bottom: Verify return code: 0 (ok) Not 0 is an error of course. As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish) Hope that helps. But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection? Is there any place in Xymon I can see why it is failing? On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid> wrote:On 6/27/2017 11:17 AM, Zoltan Forray wrote:We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser.Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection? I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX <(804)%20828-4807> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html --
Please consider the environment before printing this e-mail This message from ORIX Australia may contain confidential and/or privileged information. If you are not the intended recipient, any use, disclosure or copying of this message (or of any attachments to it) is not authorised. If you have received this message in error, please notify the sender immediately and delete the message and any attachments from your system. Please inform the sender if you do not wish to receive further communications by email. ORIX has a Privacy Policy which outlines what kinds of personal information we collect and hold, how we may collect and handle it, and your rights regarding personal information. Please let us know if you would like a copy. The Privacy Policy and a Collection Statement are also available on our website <http://www.orix.com.au>;. We do not accept liability for any loss or damage caused by any computer viruses or defects that may be transmitted with this message. We recommend you carry out your own checks for viruses or defects.
▸
-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Jeremy Laidman
No output from web server. Check it's logs for web server errors associated with the IP address.
▸
On 28 Jun. 2017 22:00, "Zoltan Forray" <user-755163d80bce@xymon.invalid> wrote:
Thanks for the help and the command. However, since I know very little about certs, here is the results: [xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443 -showcerts CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Tue, Jun 27, 2017 at 7:56 PM, Phil Crooker <user-e8e31cd73303@xymon.invalid> wrote:Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl: openssl s_client -connect hostname:443 -showcerts You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate. s_client shows the status of the connection at the bottom: Verify return code: 0 (ok) Not 0 is an error of course. As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish) Hope that helps. But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection? Is there any place in Xymon I can see why it is failing? On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid> wrote:On 6/27/2017 11:17 AM, Zoltan Forray wrote:We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser.Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection? I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX <(804)%20828-4807> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- Please consider the environment before printing this e-mail This message from ORIX Australia may contain confidential and/or privileged information. If you are not the intended recipient, any use, disclosure or copying of this message (or of any attachments to it) is not authorised. If you have received this message in error, please notify the sender immediately and delete the message and any attachments from your system. Please inform the sender if you do not wish to receive further communications by email. ORIX has a Privacy Policy which outlines what kinds of personal information we collect and hold, how we may collect and handle it, and your rights regarding personal information. Please let us know if you would like a copy. The Privacy Policy and a Collection Statement are also available on our website <http://www.orix.com.au>;. We do not accept liability for any loss or damage caused by any computer viruses or defects that may be transmitted with this message. We recommend you carry out your own checks for viruses or defects.-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Jonathan Trott
"Xymon" <xymon-bounces at xymon.com> wrote on 28/06/2017 21:52:42:
From: Zoltan Forray <user-755163d80bce@xymon.invalid> To: Phil Crooker <user-e8e31cd73303@xymon.invalid> Cc: "xymon at xymon.com" <xymon at xymon.com> Date: 28/06/17 22:00 Subject: Re: [Xymon] False SSL cert alerts Sent by: "Xymon" <xymon-bounces at xymon.com>
▸
Thanks for the help and the command. However, since I know very little about certs, here is the results:
[xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443 -showcerts
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Have you tried adding the keyword "sni" to the end of the host line in the hosts.cfg? The equivalent test from the shell is : openssl s_client -connect quikfm.vcu.edu:443 -servername quikfm.vcu.edu Thanks, JT
list Phil Crooker
Well, I'm sure you'll learn quite a bit about certificates before you are done ;-) This can be difficult to troubleshoot as it is all encrypted (or won't work at all because it is so broken that it can't be encrypted)! There are the errors: write:error=104, no peer cert and no cert CA names. You will just need to work out what is happening. As Jeremy said, look at the server logs (esp the startup part). Try a self-signed certificate and see if that works. You probably need to set up a test server and play with that.... good luck. Thanks for the help and the command. However, since I know very little about certs, here is the results: [xymon at xymon1 etc]$ openssl s_client -connect quikfm.vcu.edu:443<http://quikfm.vcu.edu:443>; -showcerts
▸
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Tue, Jun 27, 2017 at 7:56 PM, Phil Crooker <user-e8e31cd73303@xymon.invalid<mailto:user-e8e31cd73303@xymon.invalid>> wrote: Browsers are a pretty opaque tool for testing certificates because of caching and locally stored certificates. Try openssl: openssl s_client -connect hostname:443 -showcerts You should see the whole chain of certificates going back to a root cert. Are you missing an intermediate certificate? You may need to add it to the ssl config in the webserver - in apache you can just concatenate your host cert and the intermediate. s_client shows the status of the connection at the bottom: Verify return code: 0 (ok) Not 0 is an error of course. As s_client opens a connection, you need to CTRL-C to break out (or issue an http command if you wish) Hope that helps. But now it simply refuses to get a valid https connection from the Xymon server eventhough you can web-browse to it with no issues and the browser says there is a valid https/cert/connection? Is there any place in Xymon I can see why it is failing? On Tue, Jun 27, 2017 at 3:39 PM, John Thurston <user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>> wrote: On 6/27/2017 11:17 AM, Zoltan Forray wrote: We are constantly having issues with sslcert alerts going non-green eventhough it says the cert is fine. Related to this is there being an issue getting to the https page from the Xymon server yet I can access it just fine from my browser. Any failure to establish an SSL connection will result in an error under sslcert. Could it be a failure to negotiate a secure connection due to an unreliable network connection? I suggest looking in the error log on your web server. You may find severed or incomplete connection attempts. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX<tel:XXX-XXX-XXXX> user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid> Department of Administration State of Alaska -- Zoltan Forray Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu<http://www.ucc.vcu.edu>;
user-755163d80bce@xymon.invalid<mailto:user-755163d80bce@xymon.invalid> - XXX-XXX-XXXX<tel:(804)%20828-4807> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- [http://web.orix.com.au/_resource/email/email-banner.jpg?rnd=201703091]
▸
Please consider the environment before printing this e-mail
This message from ORIX Australia may contain confidential and/or privileged information. If you are not the intended recipient, any use, disclosure or copying of this message (or of any attachments to it) is not authorised. If you have received this message in error, please notify the sender immediately and delete the message and any attachments from your system. Please inform the sender if you do not wish to receive further communications by email.
ORIX has a Privacy Policy which outlines what kinds of personal information we collect and hold, how we may collect and handle it, and your rights regarding personal information. Please let us know if you would like a copy. The Privacy Policy and a Collection Statement are also available on our website<http://www.orix.com.au>;.
▸
We do not accept liability for any loss or damage caused by any computer viruses or defects that may be transmitted with this message. We recommend you carry out your own checks for viruses or defects. -- Zoltan Forray Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu<http://www.ucc.vcu.edu>; user-755163d80bce@xymon.invalid<mailto:user-755163d80bce@xymon.invalid> - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
list Jeremy Laidman
▸
On 29 June 2017 at 10:10, Phil Crooker <user-e8e31cd73303@xymon.invalid> wrote:
Well, I'm sure you'll learn quite a bit about certificates before you are done ;-)
I think this has nothing to do with certificates.
▸
This can be difficult to troubleshoot as it is all encrypted (or won't work at all because it is so broken that it can't be encrypted)! There are the errors: write:error=104, no peer cert and no cert CA names. You will just need to work out what is happening.
And to me, most telling: SSL handshake has read 0 bytes and written 247 bytes So, "read 0 bytes". That means the web server didn't send a single packet during the SSL handshake, which is (I believe) the very first thing that happens. The webserver (probably) accepted a connection, but then sent nothing.
As Jeremy said, look at the server logs (esp the startup part).
Actually, John said this first. I just reiterated. Zoltan: please look at your webserver logs for errors and let us know what you see. If Apache, will probably be a file called error_log or ssl_error_log or something like that. Perhaps you can run a "tail -f" on the logfile, and at the same, run the openssl command again. J
list Zoltan Forray
▸
On Wed, Jun 28, 2017 at 7:55 PM, Jonathan Trott <user-18b223f08ecd@xymon.invalid> wrote:
Have you tried adding the keyword "sni" to the end of the host line in the hosts.cfg?
Adding "sni" worked! Not sure what changed. This has been running for a
long time with no issues - just started failing a few days ago.
▸
-- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu user-755163d80bce@xymon.invalid - XXX-XXX-XXXX Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html