Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.11.1 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

Agent send Prolog failed with letsencrypt ssl

Debian 9
php7
OCSNG_UNIX_SERVER 2.3.1
OCSNG-Windows-Agent-2.3.0.0
OCSNG-Windows-Packager-2.3
glpi 9.1.4

I want to get green lock on my website so I use letsencrypt linux tool certbot to sign my domain.
I browse my website, everything is OK.
I try to send information by agent then got error.

==============================================================================
Starting OCS Inventory NG Agent on Monday, July 10, 2017 15:08:34.
AGENT => Running OCS Inventory NG Agent Version 2.3.0.0
AGENT => Using OCS Inventory NG FrameWork Version 2.3.0.0
AGENT => Loading plug-in(s)
AGENT => Using network connection with Communication Server
AGENT => Using Communication Provider <OCS Inventory NG cURL Communication Provider> Version <2.3.0.0>
AGENT => Sending Prolog
ERROR *** AGENT => Failed to send Prolog <Peer certificate cannot be authenticated with given CA certificates>
AGENT => Unloading communication provider
AGENT => Unloading plug-in(s)
AGENT => Execution duration: 00:00:01.

I try to debug by myself.
I got the cacert and private key by using openssl to sign same domain...no green lock :(
Then I edited the apache2 ssl conf. The Agent could send information currently.
The OCSNG Server and  Agent is worked.

So I have a problem.
The cacert.pem which made by certbot couldn't use in ocsng and agent?

There are theree pem and one private key whitch made by certbot.
cert.pem / chain.pem / fullchain.pem / privkey.pem
default ssl conf is  fullchain.pem / privkey.pem
I try use cert.pem, chain.pem and fullchain.pem to be cacert.pem in agent. All of them are unavailable.
Show me error again and again.

ERROR *** AGENT => Failed to send Prolog <Peer certificate cannot be authenticated with given CA certificates>

Someone have any idea which this?  thanks a lot.
in OCS Inventory NG server for Unix by (290 points)
edited by

6 Answers

+1 vote
 
Best answer
Hi,

I had the same problem. I found the right key under https://www.identrust.com/certificates/trustid/root-download-x3.html

Only copy and paste it into cacert.pem. I also use let's encrypt and it's working fine.
by (520 points)
selected by
+1 vote

Hi.

I also had issues. The first thing is that the filename must be cacert.pem. For some reason I could not get it to work if it was not that. So look at your agent's config file. It must match mine. Then only use the intermediary and root cert. You don't need to use the full chain on the agent either.

basevardir=/var/lib/ocsinventory-agent
ca=/etc/ocsinventory-agent/cacert.pem
server=https://<Domain name of OCS Server>/ocsinventory
ssl=1
tag=Global Solutions Desktop
debug=0
log=/var/log/ocs_agent.log

SSL cert chain to use on the agent for Let's encrypt:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

by (1.9k points)
0 votes

Yes, the filename must be cacert.pem.
My agent is latest microsoft winodows agent. 

I use packager to make auto installer.
/S /NOW /NO_SYSTRAY /SSL=1 /SERVER=https://<my domain IP>/ocsinventory

I already try use cert.pem, chain.pem and fullchain.pem and rename to cacert.pem.
All of them are same error result.

cert.pem have one certiticate
chain.pem have one certiticate
fullchain.pem = cert.pem + chain.pem

I try this issue again.

-------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

windows agent 
cert.pem -> cacert.pem     error <Peer certificate cannot be authenticated with given CA certificates>
chain.pem -> cacert.pem    error <Peer certificate cannot be authenticated with given CA certificates>
fullchain.pem -> cacert.pem    error <Peer certificate cannot be authenticated with given CA certificates>
-------------------------------------------------------------

-------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/<my domain>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

windows agent 
cert.pem -> cacert.pem     error <Peer certificate cannot be authenticated with given CA certificates>
chain.pem -> cacert.pem    error <Peer certificate cannot be authenticated with given CA certificates>
fullchain.pem -> cacert.pem    error <Peer certificate cannot be authenticated with given CA certificates>
-------------------------------------------------------------

-------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/<my domain>/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

apache2 restart fail
-------------------------------------------------------------

by (290 points)
edited by
0 votes
OMG. It's worked!
Add ROOT CHAIN CERTIFICATE behind cacert.pem.
Only ROOT CHAIN CERTIFICATE be cacert.pem is also worked.

Thanks you everyone.
by (290 points)
edited by
0 votes
Hello Mathew.chen I don't understand your solution. Where did you add the ROOT CHAIN CERTIFICATE, inside the cacert.pem?

Or in the inside the ocsinventory.ini?

Plz help me i don't find answer anywhere....
by (240 points)
0 votes

Hi H0bs,

I have select the best answer.

Just copy and paste ROOT CHAIN then make sure the file name is cacert.pem.

by (290 points)
 
Powered by Question2Answer
...