Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.4.1 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

OCSAgent : SSL error with OCS Server Linux

Hello,

I'm setting up my ocs  but I have issues with the agent on Windows. On the logs, I see

COM SERVER => Sending HTTP Post request to URL <https://myhost.ad.local/ocsinventory>
WARNING *** COM SERVER => Failed to send HTTP Post request <SSL connect error>
COM SERVER => Cleaning cURL library
ERROR *** AGENT => Failed to send Prolog <SSL connect error>

The file cacert.pem I use for the Agent has been downloaded from the Linux server /etc/pki/tls/certs/ocsng.pem and has been renamed to cacert.pem

Linux CentOS 7

Apache configuration

/etc/httpd/conf/httpd.conf

ServerRoot "/etc/httpd"
Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn
#LogLevel debug

EnableSendfile on

# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

TraceEnable off
ServerSignature Off
ServerTokens ProductOnly

<VirtualHost *:80>

ServerName myhost.ad.local
DocumentRoot "/var/www/html"
RedirectPermanent "/" "https://192.168.51.15/"

</VirtualHost>

<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>

/etc/httpd/conf.d/ssl.conf

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:443>

DocumentRoot "/var/www/html"
ServerName myhost.ad.local


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5

SSLCertificateFile /etc/pki/tls/certs/ocsng.pem
SSLCertificateKeyFile /etc/pki/tls/private/ocsng.key

#securing root directory
<Directory "/">
        Options None
        Order deny,allow
        Deny from all
        AllowOverride None
</Directory>

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted

</Directory>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

Alias /download /var/lib/ocsinventory-reports/download
<Directory /var/lib/ocsinventory-reports/download>

        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
</Directory>

</VirtualHost>

/etc/httpd/conf.d/ocsinventory-reports.conf

################################################################################
#
# OCS Inventory NG Administration Server
#
# Copyleft 2008 OCS Inventory NG Team
# Web: http://www.ocsinventory-ng.org
#
# This code is open source and may be copied and modified as long as the source
# code is always made freely available.
# Please refer to the General Public Licence http://www.gnu.org/ or Licence.txt
################################################################################

#
# ANY CHANGE ON THIS FILE REQUIRES APACHE RESTART TO TAKE EFFECT
#

################################################################################
# Administration console public pages
#
# Alias used to put Administration Server static page (typically PHP) outside
# Apache document root directory
#
Alias /ocsreports /var/www/html/ocsreports

<Directory /var/www/html/ocsreports>
    # By default, users can use console from everywhere
    Order deny,allow
    Allow from all
    Options Indexes FollowSymLinks
    DirectoryIndex index.php
    AllowOverride Options

    # Uncomment following to force use of HTTPS in Administration Server
    SSLRequireSSL

    # PHP tuning (not working on all distribution, use php.ini instead)
    AddType application/x-httpd-php .php
    php_flag file_uploads           on
    # Some PHP tuning for deployement feature up to 8 MB
    # post_max_size must be greater than upload_max_filesize
    # because of HTTP headers
    php_value post_max_size         101m
    php_value upload_max_filesize   100m
    # You may have to uncomment following on errors
    #php_value max_execution_time -1
    #php_value max_input_time -1

    #!! Mandatory !! : set magic_quotes_gpc to off (to make ocsreports works correctly)
    php_flag magic_quotes_gpc      off

    # Uncomment following to allow HTTP body request up to 4 MB
    # instead default 512 KB
    #LimitRequestBody 4194304

    # Uncomment following if you need to specify a mysql socket
    #php_value mysql.default_socket "path/to/mysql/unix/socket"

</Directory>

################################################################################
# Deployment packages download area
#
# Alias to put Deployement package files outside Apache document root directory
#
Alias /download /var/lib/ocsinventory-reports/download
<Directory "/var/lib/ocsinventory-reports/download">
        deny from all
</Directory>

################################################################################
# Snmp communities area
#
# Alias to put Snmp custom Mibs files outside Apache document root directory
#
Alias /snmp /var/lib/ocsinventory-reports/snmp

asked in OCS Inventory NG agent for Windows by (160 points)
edited by

1 Answer

0 votes

So, I figured it out by myself!

The trick here is to set this value

SSLProtocol all

‚ÄčThis value will permit the OCSAgent to communicate with the server.

So now my question is :

How can I do to force agent using TLSv1.2 with my Linux Server OCS?

answered by (160 points)
 
Powered by Question2Answer
...