Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.11.1 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

Troubleshooting Self signed certificates, SSL Handshake errors and agent server communication

So I've set up OCSInventory (OCS) on FreeBSD 10.3 and I'm having problems trying to get the OCSInventory agent to communicate properly with the server. I'm running the latest version of OCS which requires SSL to function. I've generated a self-signed cert but the handshake is failing. The server is running OpenSSL v1.0.1s and on the Mac OS X client OpenSSL v1.0.2g. 

The error code that is being returned by the OCS agent on the client is:

Cannot establish communication : 500 SSL negotiation failed: error:14094410:SSL    
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Connecting with the openssl s_client results in the following error (relevant parts):
No client certificate CA names sent
Verify return code: 18 (self signed certificate)

I don't know if the conflict is due to the cert being generated with the older version of OpenSSL on the server and the client running a newer version.

Here are the steps I followed to generate the certificate:

  1. openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt
  2. openssl req -days 3650 -nodes -new -keyout server.key -out server.csr
  3. openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial
  4. openssl req -days 3650 -nodes -new -keyout client.key -out client.csr
  5. openssl x509 -req -days 3650 -in client.csr -out client.crt -CA ca.crt -CAkey ca.key
  6. openssl x509 -in client.crt -out client.pem -outform PEM

I have the client.pem and root ca.crt certificates installed on the client (Mac OS X 10.11.4)

How do I correctly generate on the server end and install self-signed certificates on the clients?

How do I test to verify that the agent is properly communicating and sending data to the server?


in OCS Inventory NG server for Unix by (120 points)

1 Answer

0 votes

When you have generated the server certificate just copy it on the client. Server and client certificates are identical. If you use the address IP in ocs agent then CN (Common Name) in the certificate must be ip address. If you use FQDN in ocs agent then CN must be FQDN.


by (88.5k points)
Powered by Question2Answer