Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

SSL Issues w\windows agent connecting.

-    This info is a test environment, so don’t worry.

Issue is that agent will not work is utilizing SSL, but does work if everything remains as HTTP.

Any help would greatly appreciated.

BELOW IS INFO TO HELP WITH ISSUE:

Server Information:
OS Name : Linux x86_64
Version : 5.14.0-362.24.1.el9_3.0.1.x86_64
RAM installed : 11705 MB
Free RAM : 10846 MB
CPU : Intel(R) Xeon(R) CPU E5-2690 v4 @ 2.60GHz
Distribution : Rocky Linux 9.3 (Blue Onyx)
PHP Version : 8.0.30
Web Server : Apache/2.4.57 (Rocky Linux) OpenSSL/3.0.7 mod_perl/2.0.12 Perl/v5.32.1
Database Server : MariaDB Server version 10.5.22-MariaDB
Version OCSReports : 2.12.1
IP: 172.xxx.xxx.xxx
Agent: 2.1.1.1

Installed Method (RPM):
https://wiki.ocsinventory-ng.org/03.Basic-documentation/Setting-up-a-OCS-Inventory-Server-with-rpm/

Created a CNF for a self signed certificate to include SANs:

[req]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req

[req_distinguished_name]
C = US
ST = ID10T
L = ID10T
O = ID10T
CN = ocsi.local

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[v3_req]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:false
nsCertType = server
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = ocsi
DNS.2   = ocsi.local
DNS.3   = ocsinventory
DNS.4   = ocsinventory.local
IP.1    = 172.xxx.xxx.xxx

Create a PEM using the CNF:
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /tmp/ocsinventory-server.pem -out /tmp/ocsinventory-server.pem -config /tmp/san.cnf -extensions 'v3_req'

Create CRT from PEM
openssl x509 -in /tmp/ocsinventory-server.pem -out /etc/pki/tls/certs/ocsinventory-server.crt

Create KEY from PEM
openssl pkey -in /tmp/ocsinventory-server.pem -out /etc/pki/tls/private/ocsinventory-server.key

Check and verify:
openssl x509 -in /etc/pki/tls/certs/ocsinventory-server.crt -text -noout
openssl x509 -in /etc/pki/tls/certs/ocsinventory-server.crt -modulus -noout
openssl rsa -in /etc/pki/tls/private/ocsinventory-server.key -check -noout
openssl rsa -in /etc/pki/tls/private/ocsinventory-server.key -modulus -noout

Modify ssl.conf to include Cert:
SSLCertificateFile /etc/pki/tls/certs/ocsinventory-server.crt
SSLCertificateKeyFile /etc/pki/tls/private/ocsinventory-server.key

Agent:
Placed PEM in:
C:\ProgramData\OCS Inventory NG\Agent

ocsinventory.ini
[OCS Inventory Agent]
ComProvider=ComHTTP.dll
Debug=1
Local=
NoSoftware=0
HKCU=0
NoTAG=0
IpDisc=
[HTTP]
Server=https://ocsi.local/ocsinventory
SSL=1
CaBundle=ocsinventory-server.pem
AuthRequired=0
User=
Pwd=
ProxyType=0
Proxy=
ProxyPort=0
ProxyAuthRequired=0
ProxyUser=
ProxyPwd=
[OCS Inventory Service]
TTO_WAIT=180
PROLOG_FREQ=24
OLD_PROLOG_FREQ=24

Error Log:
Starting OCS Inventory NG Agent on Monday, April 22, 2024 10:33:02.
AGENT => Running OCS Inventory NG Agent Version 2.1.1.1
AGENT => Using OCS Inventory NG FrameWork Version 2.1.1.1
AGENT => Loading plug-in(s)
    DLL PLUGIN => Searching for Plug-in DLL(s) in folder <C:\Program Files (x86)\OCS Inventory Agent\plugins>
    DLL PLUGIN => 0 DLL Plug-in(s) succesfully loaded on 0 DLL(s) found
AGENT => Using network connection with Communication Server
    COM PROVIDER => Loading Communication Provider <C:\Program Files (x86)\OCS Inventory Agent\ComHTTP.dll>
AGENT => Using Communication Provider <OCS Inventory NG cURL Communication Provider> Version <2.1.1.1>
    AGENT => Sending getLabel request
    COM SERVER => Initializing cURL library for getFile
    COM SERVER => Using cURL without server authentication
    COM SERVER => Disabling cURL proxy support
    COM SERVER => Enabling cURL SSL server validation support using CA Bundle <ocsinventory-server.pem>
    COM SERVER => Sending fileGet request to URL <https://ocsi.local/ocsinventory/deploy/label>
    WARNING *** COM SERVER => Failed to send HTTP Get request <SSL connect error>
    COM SERVER => Cleaning cURL library
    AGENT => Failed to retrieve Label <SSL connect error>
AGENT => Sending Prolog
    DID_CHECK => Read DeviceID <SCCM-2024-04-21-10-50-29> and MACs <00:50:56:AC:93:11> in file <ocsinventory.dat>
    COM SERVER => Initializing cURL library for sendRequest
    COM SERVER => Using cURL without server authentication
    COM SERVER => Disabling cURL proxy support
    COM SERVER => Enabling cURL SSL server validation support using CA Bundle <ocsinventory-server.pem>
    COM SERVER => Sending HTTP Post request to URL <https://ocsi.local/ocsinventory>
    WARNING *** COM SERVER => Failed to send HTTP Post request <SSL connect error>
    COM SERVER => Cleaning cURL library
ERROR *** AGENT => Failed to send Prolog <SSL connect error>
AGENT => Unloading communication provider
AGENT => Unloading plug-in(s)
AGENT => Execution duration: 00:00:00.
in OCS Inventory NG agent for Windows by (160 points)

3 Answers

0 votes
Where and how you set Apache (with your certificate) ?

For which reason, you want use SAN = certificate with some fqdn ? It's REALLY more convenient and logical to have only ONE fqdn for OCS server ! (and for Apache's setting)

How you understand ssl security for inventory from agent ? IMHO usage of ssl for agent to upload inventory don't improve security (it's easy to get from OCS server the cacert.pem and paste it in agent's setting) !
by (19.8k points)
0 votes
Replying to Jacquesh
Forgive my reply, I will try to answer back to everything.

I stated above I added the CRT and KEY to the ssl.conf file:
SSLCertificateFile: /etc/pki/tls/certs/ocsinventory-server.crt
SSLCertificateKeyFile: /etc/pki/tls/private/ocsinventory-server.key

Are you saying I should have added it to Apache Conf file? such as:
ocsinventory-reports.conf
ocsinventory-server.conf

As for the SANs, that shouldn't matter, that is really handled by the DNS.  But I can create the cert without them, I still get the same issue.

The last part I am confused by, so please have patience with me.

How you understand ssl security for inventory from agent ?
The way I see it is a layer of encryption from the agent to the server, so that data is not passed over clear text.  Sort of like SCCM uses a cert or Nagios NCPA uses a "Token".

As for the part you mentioned the PEM in the agent Config file, yes, you are right, I suppose it is easy to modify the file, but with proper permissions and auditing, you can mitigate that.

I hope I responded accordingly, please feel free to respond.
by (160 points)
0 votes
About certificate (and Apache), I use virtualhost (and a different fqdn for inventory and reports). So I use a certfificate with only one fqdn (common name) for inventory and reports. (I don't use ssl for agent, but http + https for inventory for package deployement).

Imho, use ssl for agent don't improve security. If you want corrupt inventory using fake agent even with ssl, it's easy to get the ssl certificate from server and put it on fake agent as cacert.pem. Real security will be to register agents ans use ssl private certificate from an OCS pki ... Use ssl is also a problem when certificate expire due deploiement of a new certificate !
by (19.8k points)
 
Powered by Question2Answer
...