Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on https://wiki.ocsinventory-ng.org. Read it before asking your question.

Categories

Cannot establish communication : 500 .... (certificate verify failed)

Hello to everyone smiley

Firstly, sorry for my english

I am a bit desesperate since friday crying

I have navigated on many discussions, like this one, but without solutionindecision And my "friend" Goggle doesn't give a useful clue.sad

My agent OCS cannot send their informations by https to the server OCS.

Can someone help me pleaseangel

My configuration :

  • Linux Ubuntu 16.04.1 on virtual machine (like the agent)
  • Apache 2.4.18
  • PHP 5.6.29-1
  • Mysql 5.7.16
  • OCS 2.3R
  • GLPI 9.1.1

It works only by http, but the problem is that I will have quickly to build a new server OCS/GLPI outside my company, so https is the only solution.

At the beginning, I create a certificate, using this method :

openssl genrsa -des3 -out server.key 1024

mv server.key server-old.key

openssl rsa -in server-old.key -out server.key

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

cp server.crt /etc/apache2/ssl/

cp server.key /etc/apache2/ssl/

a2ensite ssl.conf

/etc/init.d/apache2 restart

Then I changed the lies to the certificate into "/etc/apache2/sites-available/ssl.conf" :

        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        SSLCertificateFile /etc/apache2/ssl/server.crt

I renamed the file "server.crt" to "cacert.pem" and copied it into the agent in /var/lib/ocsinventory-agent

My certificates looks like :

-----BEGIN CERTIFICATE-----

[..................................................]

-----END CERTIFICATE-----

I modifed the ocsinventory-agent.cfg 's configuration

server=https://myserverocs.com/ocsinventory
tag=myagentocs
ca=/var/lib/ocsinventory-agent/cacert.pem
basevardir=/var/lib/ocsinventory-agent
#debug=1
#logfile=/var/log/ocsinventory-agent

Moreover, I tested the certificates on an agent based on Windows seven with this configuration :

[OCS Inventory Agent]
ComProvider=ComHTTP.dll
Debug=0
Local=
NoSoftware=0
HKCU=0
NoTAG=1
IpDisc=
[HTTP]
Server=https://myserverocs.com:443/ocsinventory
SSL=1
CaBundle=C:\ProgramData\OCS Inventory NG\Agent\cacert.pem
AuthRequired=0
User=
Pwd=
ProxyType=0
Proxy=
ProxyPort=0
ProxyAuthRequired=0
ProxyUser=
ProxyPwd=
[OCS Inventory Service]
TTO_WAIT=19260
PROLOG_FREQ=24
OLD_PROLOG_FREQ=24

The result on the agent based on Windows seven :

==============================================================================
Starting OCS Inventory NG Agent on Wednesday, February 08, 2017 10:11:28.
AGENT => Running OCS Inventory NG Agent Version 2.1.1.3
AGENT => Using OCS Inventory NG FrameWork Version 2.1.1.3
AGENT => Loading plug-in(s)
AGENT => Using network connection with Communication Server
AGENT => Using Communication Provider <OCS Inventory NG cURL Communication Provider> Version <2.1.1.3>
AGENT => Sending Prolog
ERROR *** AGENT => Failed to send Prolog <Peer certificate cannot be authenticated with given CA certificates>
AGENT => Unloading communication provider
AGENT => Unloading plug-in(s)
AGENT => Execution duration: 00:00:00.

==============================================================================

But when I try to send information from a agent :

root@myserverocs:~# sudo ocsinventory-agent --debug
[debug] Ocsinventory unified agent for UNIX, Linux and MacOSX 2.0.5
[debug] Log system initialised (Stderr)
[debug] --scan-homedirs missing. Don't scan user directories
[debug] Accountinfo file: /var/lib/ocsinventory-agent/https:__frelon.intranet.sereneo.com_ocsinventory/ocsinv.adm
[debug] OCS Agent initialised
[debug] Turns hooks on for /etc/ocsinventory/modules.conf
[debug] Ocsinventory unified agent for UNIX, Linux and MacOSX 2.0.5
[debug] Log system initialised (Stderr)
[debug] Calling handlers : `start_handler'
[debug] [download] Calling download_start_handler
[debug]  - Net::SSLeay qw(die_now die_if_ssl_error) loaded
[debug] Compress::Zlib is available.
[debug] Calling handlers : `prolog_writer'
[debug] sending XML
[debug] sending: <?xml version="1.0" encoding="UTF-8"?>
<REQUEST>
  <DEVICEID>myserverocs-2017-02-06-15-42-17</DEVICEID>
  <QUERY>PROLOG</QUERY>
</REQUEST>
[error] Cannot establish communication : 500 Can't connect to myserverocs.com:443 (certificate verify failed)

Do you have any clue ? Do you find any mistakes on my configuration ?

Thank you in advance yes

in OCS Inventory NG server for Unix by (200 points)
Share on
share on gp share on fb share on tw share on li

4 Answers

0 votes

Thanks in advance for you Helpsmiley

I would like just to know :

  • The path to the certificate on the agent (windows and linux) ?
    • /var/lib/ocsinventory-agent/                                   -> for Linux Debian agent ?
    • C:\ProgramData\OCS Inventory NG\Agent             -> for Windows Seven agent ?

  • Is the certificate only the "server.crt" renamed in "cacert.pem", or I need also the "server.key"

Thank you again

by (200 points)
0 votes

Nobody can help me crying

by (200 points)
0 votes

I apologize for the delay in answering

You must get server cert from server:

openssl s_client -showcerts -connect domain.hostname.not.ip:443 </dev/null 2>/dev/null | openssl x509 -outform PEM >/etc/ocsinventory/cacert.pem

Add to /etc/ocsinventory/ocsinventory-agent.cfg

server=https://domain.hostname.not.ip/ocsinventory
ssl=1
ca=/etc/ocsinventory/cacert.pem

voilĂ !
Good luck!

by (220 points)
0 votes

Hello

I have the same problem, although in centos server.
I tried jagarsoft's solution, but it doesn't solve.

I have:

  • Server OCS: Centos 7:
    • OSC SERVER 2.6
    • PHP 7.3.6
    • MariaDB 10.3.15
  • Agent; Debian 9:
    • Ocsinventory Unix Agent 2.0.5 

I followed these steps to create certificate:

      http://ask.ocsinventory-ng.org/9618/windows-agent-sent-prolog-with-letsencrypt-ssl

Configuration file /etc/httpd/config.d/ssl.conf

SSLCertificateFile /etc/httpd/conf/ssl.crt/fullchain.pem

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/privkey.key

Log error in agent:

[Fri Jul 26 07:28:47 2019][debug] Ocsinventory unified agent for UNIX, Linux and MacOSX 2.0.5
[Fri Jul 26 07:28:47 2019][debug] Log system initialised (File)
[Fri Jul 26 07:28:47 2019][debug] --scan-homedirs missing. Don't scan user directories
[Fri Jul 26 07:28:47 2019][debug] Accountinfo file: /var/lib/ocsinventory-agent/https:__domain-name_ocsinventory/ocsinv.adm
[Fri Jul 26 07:28:47 2019][debug] OCS Agent initialised
[Fri Jul 26 07:28:47 2019][debug] Turns hooks on for /etc/ocsinventory/modules.conf
[Fri Jul 26 07:28:47 2019][debug] Ocsinventory unified agent for UNIX, Linux and MacOSX 2.0.5
[Fri Jul 26 07:28:47 2019][debug] Log system initialised (File)
[Fri Jul 26 07:28:47 2019][debug] Calling handlers : `start_handler'
[Fri Jul 26 07:28:47 2019][debug] [download] Calling download_start_handler
[Fri Jul 26 07:28:47 2019][debug]  - Net::SSLeay qw(die_now die_if_ssl_error) loaded
[Fri Jul 26 07:28:47 2019][debug] Compress::Zlib is available.
[Fri Jul 26 07:28:47 2019][debug] Calling handlers : `prolog_writer'
[Fri Jul 26 07:28:47 2019][debug] sending XML
[Fri Jul 26 07:28:47 2019][debug] sending: <?xml version="1.0" encoding="UTF-8"?>
<REQUEST>
  <DEVICEID>srv-devsamdb-2019-07-20-07-44-17</DEVICEID>
  <QUERY>PROLOG</QUERY>
</REQUEST>
[Fri Jul 26 07:28:47 2019][error] Cannot establish communication : 500 Can't connect to domain-name:443 (certificate verify failed)


Could it be something else?
by (250 points)
 
Powered by Question2Answer
...