So I've set up OCSInventory (OCS) on FreeBSD 10.3 and I'm having problems trying to get the OCSInventory agent to communicate properly with the server. I'm running the latest version of OCS which requires SSL to function. I've generated a self-signed cert but the handshake is failing. The server is running OpenSSL v1.0.1s and on the Mac OS X client OpenSSL v1.0.2g.
The error code that is being returned by the OCS agent on the client is:
Cannot establish communication : 500 SSL negotiation failed: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Connecting with the openssl s_client results in the following error (relevant parts):
No client certificate CA names sent
...
Verify return code: 18 (self signed certificate)
I don't know if the conflict is due to the cert being generated with the older version of OpenSSL on the server and the client running a newer version.
Here are the steps I followed to generate the certificate:
- openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt
- openssl req -days 3650 -nodes -new -keyout server.key -out server.csr
- openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial
- openssl req -days 3650 -nodes -new -keyout client.key -out client.csr
- openssl x509 -req -days 3650 -in client.csr -out client.crt -CA ca.crt -CAkey ca.key
- openssl x509 -in client.crt -out client.pem -outform PEM
I have the client.pem and root ca.crt certificates installed on the client (Mac OS X 10.11.4)
How do I correctly generate on the server end and install self-signed certificates on the clients?
How do I test to verify that the agent is properly communicating and sending data to the server?
Thanks!
