Windows Agent sent Prolog, with Letsencrypt SSL

Question

The environment:

Debian 9

Php7.2

OCSNG_UNIX_SERVER 2.4.1

OCSNG-Windows-Agent-2.3.1.1

OCSNG-Windows-Packager-2.3

Hey guys, I have a problem with Letsencrypt certificates. When I requested Letsencrypt cert I only got 2 certificates, and got to be used in Apache ssl config:

SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

• I tried two of them in Agent package as cacert.pem, but the Fullchain dropped this error:

ERROR *** AGENT => Failed to send Prolog <Peer certificate cannot be authenticated with given CA certificates>

• Privkey.pem have this kind of error:

ERROR *** AGENT => Failed to send Prolog <Problem with the SSL CA cert (path? access rights?)>

I use these command line parameters in Agent:

/S /NOW /SERVER=https://mydomain.com/ocsinventory /SSL=1 /NOSPLASH /TAG="Laptop"

I've read about in google and find a solution which is not clear for me. The link for solution:

http://ask.ocsinventory-ng.org/7351/agent-send-prolog-failed-with-letsencrypt-ssl

I also in the same situation, than "mathew.chen" but the answer which he marked is not work for me or I do something wrong. Please someone explain it to me deeply step by step what should I do, where should I put the certificate which he recommend? Or can anybody confirm that the recommended solution is worked for her/him?

Under the list of certificates which I tried:

• fullchain.pem - did not work
• from fullchain.pem copied the first paragraph or cert -> fullchain_root.pem - did not work
• from fullchain.pem copied the second paragraph or cert -> ocsinventory.pem - did not work
• privkey.pem - did not work
• copied from here: https://letsencrypt.org/certs/isrgrootx1.pem.txt
  • root.pem - did not work
• copied from here, it was the recommended solution: https://www.identrust.com/certificates/trustid/root-download-x3.html
  • trustid.pem - did not work

Answer 1

Hello,

Follow this procedure and everything will works fine.

1: a2enmod ssl

2: service apache2 restart

3: ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf

4: openssl genrsa -des3 -out privkey.key 2048

5: mv privkey.key privkey-old.key

6: openssl rsa -in privkey-old.key -out privkey.key

enter pass phrase

7: openssl req -new -key privkey.key -out fullchain.csr

Fill in all fields:

• Country Name (2 letter code)
• State or Province Name (full name)
• [Some-State]
• Locality Name (eg, city)
• Organization Name (eg, company) [Internet Widgits Pty Ltd]
• Organizational Unit Name (eg, section)
• Common Name (e.g. server FQDN or YOUR name)
• Email Address

IMPORTANT!

Remember to enter the same name in “Common Name” that will be used for connecting by client computers. Otherwise agents will not be able to communicate with server.

8: openssl x509 -req -days 3650 -in fullchain.csr -signkey privkey.key -out fullchain.pem

9: cp fullchain.pem /etc/ssl/certs/

10: cp privkey.key /etc/ssl/private/

11: nano /etc/apache2/sites-enabled/default-ssl.conf

comment your two lines

# SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

and creat theses two lines:

SSLCertificateFile      /etc/ssl/certs/fullchain.pem

SSLCertificateKeyFile /etc/ssl/private/privkey.key

12: service apache2 restart

13: copy the  /etc/ssl/certs/fullchain.pem and rename it in cacert.pem and included it on the OCSpackage.exe and finally deploy it on the PC.

Answer 2

Hello,

Thanks for your answer and help.

I am going to mark your post as the best answer, but I am sad, that there is still no chance to use letsencrypt as cacert.pem.

Okay-okay I would use the letsencrypt for the browser say it is a safe website. Without it it is says that it is unsafe, but the administrators would use that website only, so no problem with it.

Thanks again.

Answer 3

I will try with letsencrypt because i also want to use signed certificate.

I tried with the wild card certificate but the agent doens't works properly.

I'll give you feedback if i can do something with letsencrypt

Answer 4

Let’s Encypt will only issue certificates for public domain names that it can verify.

In my case it's not a public webserver. Maybe it's the same for you.

I can't use it.

Answer 5

I agree with you, because we (only us as administrators) will use it it is not necessary to use with a public, accepted certificate.

All in all, thanks for your help. I recommend to the others to make an own certificate than use for example Letsencrypt.