Can't make agent work with Docker + SSL

Question

Hi, I have set up a server (debian 12 + ocs docker image 2.12.3)

agent on windows 10 22h2 version 2.1.1.1

Architecture :

Windows Agent (with root-ca file deployed and specified in the config file) -> Docker Nginx reverse proxy [enforces https same root ca] -> Docker Ocs Inventory server (root-ca file deployed and specified in the config file)

The ocsreports interface is working fine with https, but no machine inventory appears.

I tried editing many configuration files (including apache inside the container) but to no avail

No apache access logs are written when the agent inventory is triggered.

Logs are written when accessing the webui.

I also noted the source ip in the apache logs are those of the reverse proxy and not the client computer.

In dockerfile & docker-compose, I defined :

 OCS_SSL_KEY=/certs/ocs.key 

OCS_SSL_CERT=/certs/ocs.pem

 OCS_SSL_CA=/certs/ca.pem

Agent conf :

[HTTP]
Server=ocs.xxxx.xx
SSL=1
CaBundle=C:\ProgramData\OCS Inventory NG\Agent\ca.pem
AuthRequired=0

Agent logs :

AGENT => Running OCS Inventory NG Agent Version 2.1.1.1
AGENT => Using OCS Inventory NG FrameWork Version 2.1.1.1
AGENT => Loading plug-in(s)
AGENT => Using network connection with Communication Server
AGENT => Using Communication Provider <OCS Inventory NG cURL Communication Provider> Version <2.1.1.1>
AGENT => Sending Prolog
ERROR *** AGENT => Failed to send Prolog <SSL connect error>
AGENT => Unloading communication provider
AGENT => Unloading plug-in(s)
AGENT => Execution duration: 00:00:01.

PS : when opening /ocsinventory with a browser (https), the "Bad Request" footer is : Apache/2.4.52 (Ubuntu) Server at ocs.xxx.xx Port 80

Maybe an apache-side issue ? (answering in cleartext on a ssl channel)

Answer 1

Try simply copying your key and cert to the default files. Confirm SSL is turned on in the YAML and that the cacert.pem matches on the client matches your crt.

Answer 2

Try simply copying your key and cert to the default files. Confirm SSL is turned on in the YAML and that the cacert.pem matches on the client matches your crt.

Which default files ?

When you are talking about yaml, do you mean the docker-compose file ?

The client ca.pem contains the root ca public key which issued the certificate on the server.

Answer 3

Try..

• Check your docker-compose.yml and confirm LISTEN_PORT:443 and PORT_TYPE: "ssl"
• Confirm you did not mix up your public and private certs. Put your public cert into a reader to confirm the settings are correct.
• If you have a web filter you may need to address your server fully for example https://ocsinventory.yourdomain.com/ocsinventory/index.php. Yes type in https..
• Confirm you are not using a 172.17.x.x or 172.18.x.x on your local network. We do so I had to update the docker and supply a free network range.

Answer 4

• Check your docker-compose.yml and confirm LISTEN_PORT:443 and PORT_TYPE: "ssl"

You mean in the "ocsapplication" section ? It didn't change anything

• Confirm you did not mix up your public and private certs. Put your public cert into a reader to confirm the settings are correct.

It's not mixed

• If you have a web filter you may need to address your server fully for example https://ocsinventory.yourdomain.com/ocsinventory/index.php. Yes type in https..

It's written correctly

• Confirm you are not using a 172.17.x.x or 172.18.x.x on your local network. We do so I had to update the docker and supply a free network range.

I'm not

What I don't understand is why we can't just skip this config somehow since the nginx reverse proxy is already enforcing https. All we should do is tell the client to use ssl and trust the CA.