Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on https://wiki.ocsinventory-ng.org. Read it before asking your question.

Windows Agent sent Prolog, with Letsencrypt SSL

The environment:

Debian 9

Php7.2

OCSNG_UNIX_SERVER 2.4.1

OCSNG-Windows-Agent-2.3.1.1

OCSNG-Windows-Packager-2.3

Hey guys, I have a problem with Letsencrypt certificates. When I requested Letsencrypt cert I only got 2 certificates, and got to be used in Apache ssl config:

SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

  • I tried two of them in Agent package as cacert.pem, but the Fullchain dropped this error:

ERROR *** AGENT => Failed to send Prolog <Peer certificate cannot be authenticated with given CA certificates>

  • Privkey.pem have this kind of error:

ERROR *** AGENT => Failed to send Prolog <Problem with the SSL CA cert (path? access rights?)>

I use these command line parameters in Agent:

/S /NOW /SERVER=https://mydomain.com/ocsinventory /SSL=1 /NOSPLASH /TAG="Laptop"

I've read about in google and find a solution which is not clear for me. The link for solution:

http://ask.ocsinventory-ng.org/7351/agent-send-prolog-failed-with-letsencrypt-ssl

I also in the same situation, than "mathew.chen" but the answer which he marked is not work for me or I do something wrong. Please someone explain it to me deeply step by step what should I do, where should I put the certificate which he recommend? Or can anybody confirm that the recommended solution is worked for her/him?

Under the list of certificates which I tried:

in OCS Inventory NG agent for Windows by (320 points)
edited by

5 Answers

+2 votes
 
Best answer

Hello,

Follow this procedure and everything will works fine.

1: a2enmod ssl

2: service apache2 restart

3: ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf

4: openssl genrsa -des3 -out privkey.key 2048

5: mv privkey.key privkey-old.key

6: openssl rsa -in privkey-old.key -out privkey.key

enter pass phrase

7: openssl req -new -key privkey.key -out fullchain.csr

Fill in all fields:

  • Country Name (2 letter code)
  • State or Province Name (full name)
  • [Some-State]
  • Locality Name (eg, city)
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]
  • Organizational Unit Name (eg, section)
  • Common Name (e.g. server FQDN or YOUR name)
  • Email Address

IMPORTANT!

Remember to enter the same name in “Common Name” that will be used for connecting by client computers. Otherwise agents will not be able to communicate with server.

8: openssl x509 -req -days 3650 -in fullchain.csr -signkey privkey.key -out fullchain.pem

9: cp fullchain.pem /etc/ssl/certs/

10: cp privkey.key /etc/ssl/private/

11: nano /etc/apache2/sites-enabled/default-ssl.conf

comment your two lines

# SSLCertificateFile /etc/letsencrypt/live/<my domain>/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/<my domain>/privkey.pem

and creat theses two lines:

SSLCertificateFile      /etc/ssl/certs/fullchain.pem
SSLCertificateKeyFile /etc/ssl/private/privkey.key
12: service apache2 restart
13: copy the  /etc/ssl/certs/fullchain.pem and rename it in cacert.pem and included it on the OCSpackage.exe and finally deploy it on the PC.
by (740 points)
selected by
0 votes
Hello,

Thanks for your answer and help.

I am going to mark your post as the best answer, but I am sad, that there is still no chance to use letsencrypt as cacert.pem.

Okay-okay I would use the letsencrypt for the browser say it is a safe website. Without it it is says that it is unsafe, but the administrators would use that website only, so no problem with it.

Thanks again.
by (320 points)
0 votes
I will try with letsencrypt because i also want to use signed certificate.

I tried with the wild card certificate but the agent doens't works properly.

I'll give you feedback if i can do something with letsencrypt
by (740 points)
0 votes
Let’s Encypt will only issue certificates for public domain names that it can verify.

In my case it's not a public webserver. Maybe it's the same for you.

I can't use it.
by (740 points)
0 votes
I agree with you, because we (only us as administrators) will use it it is not necessary to use with a public, accepted certificate.

All in all, thanks for your help. I recommend to the others to make an own certificate than use for example Letsencrypt.
by (320 points)
 
Powered by Question2Answer
...