Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.5 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

Use HTTPS for inventory [closed]

Hello,

I'm trying to inventory my Linux through HTTPS but i can't get it to work.

OS : Redhat 7.5
OCS Server : 2.4.1-1
OCS Agents : 2.4.0-1

I have set up the server by using the RPMs for EL 7 :

- yum install ocsinventory-server
- configure mariadb and httpd
- web acess OK

I have set up some clients :

cat /etc/ocsinventory/ocsinventory-agent.cfg
# Server URL, unconmment if needed
server = https://ocs.mydomain.com/ocsinventory
basevardir = /var/lib/ocsinventory-agent
# Administrative TAG (optional, must be filed before first inventory)
tag = MyTAG
# How to log, can be File,Stderr,Syslog
logger = Stderr
logfile = /var/log/ocsinventory-agent/ocsinventory-agent.log
ssl=0/1

I started with ssl=0 and got my first issue :

[Wed Aug 22 09:18:14 2018][error] Cannot establish communication : 500 SSL_ca_file /var/lib/ocsinventory-agent/https:__ocs.mydomain.com_ocsinventory/cacert.pem does not exist

I got it working after doing something i found on the web :

openssl s_client -connect ocs.mydomain.com:443 </dev/null > /tmp/cacert
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' /tmp/cacert > /var/lib/ocsinventory-agent/https\:__ocs.mydomain.com_ocsinventory/cacert.pem

After that, the computer appeared on the OCS web interface.

Then i tried with ssl=1 and got

[Wed Aug 22 09:18:51 2018][error] Cannot establish communication : 500 Can't connect to ocs.mydomain.com:443

With tcpdump i can see the TLS connection failling :

Something like : Description: Unknown CA

Nothing in the apache logs when i use ssl=1.

Then i generated a proper certificate from my CA, configured httpd to use it and then did the openssl/sed commands again for the cacert.pem and now i got the same error in the log file but in tcpdump i get

Alert (Level: Fatal, Description: Internal Error)

And through strace :

connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("10.1.1.1")}, 16) = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("10.1.1.1")}, [16]) = 0
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
write(4, "\26\3\1\2\0\1\0\1\374\3\3,\376\343k\202\303yIa\242@\300\235\tm\16\257x}\357\212"..., 517) = 517
read(4, 0x26cacf0, 7)                   = -1 EAGAIN (Resource temporarily unavailable)

And still nothing in the apache logs.

I can't find any documentation online for the HTTPS/ssl=1 part. Did i missed something somewhere ? Why i don't have better errors lines in the log ?

Optionnal question ; i filter the ouput trafic in my agents and only the tcp/443 is open. Is it normal that the agent can inventory iself through HTTPS URL with ssl=0 ?

Regards,

Johan
closed with the note: error
asked in OCS Inventory NG server for Unix by (120 points)
closed by
 
Powered by Question2Answer
...