NetXMS Support Forum

Hey

i've googled, and search the forum, but I have not really found anything that makes sense in how to solve this error.

I've requested a certificate at godaddy and exported it as PFX
I've the converted it to PEM using
openssl pkcs12 -in cert.pfx -out cert.cer -nodes

Now, no matter how i try and feed in the result in netxmsd.conf get the same error
Cannot load server certificate from C:\NetXMS\etc\cert.cer (error:0906D06C:PEM routines:PEM_read_bio:no start line)

The guide at https://wiki.netxms.org/wiki/How_to_configure_agent_to_server_connection isnt really helpfull here. Password ? PEM files doesnt have password. And CA should that be godaddy's cafile or the public key from the PEM file ?
if i save the public and private key in seperate files and fill in, it fails. If i use the raw PEM file it fails
I triede saving in Linux and Windows format, and it still failes.
I've added "Everyone" with fullcontrol on all files, and it still fails ...

*ANY* hint where to look would be greatly appreciated

Not sure if its related, but "NetXMS Core" refuses to start. IT runs fine from a console, both with windows authentication and SQL login in netxmsd.conf

Hi,

You do not need need or want a standard 3rd party CA certificate for NetXMS Agent Tunnels.

My guess is your certificate has the same problem I had with my initial certificate attempts:
[..] The latter is presumably meant to sign additional certificates, but my server certificate was not authorised to do that. [..]

I've run into a few issues of my own while setting this up (it's all running smooth now) and posted my progress notes on the forum here:
https://www.netxms.org/forum/configuration/agent-to-server-connections/msg22308/#msg22308

The certificate on the server is used to sign new certificates for the agents, so they can authenticate to the server.
A standard GoDaddy certificate wouldn't be authorised to do that. There is a link in my post above which points to a guide on how to setup a CA. Together with the remaining notes in the thread, you should be able to get this up and running.

Cheers

Hey Tursiops,
I'm getting the same error, but I did build out the certs on the NetXMS server.
[03-Aug-2017 12:38:36.561] [ERROR] Cannot load server certificate from [location I put in] (error:0906D06C:PEM routines:PEM_read_bio:no start line)
Do you, or anyone else know what "start line" they are looking for? I've seen people post that some certs are written in a sort of XML style, JSON style, example
<ca>
-----BEGIN CERTIFICATE-----
stuff here
-----END CERTIFICATE-----
</ca>

So, I did some more research. It seems like there may be a compatibility issue? Regardless of whether or not this is running on a Windows server these certificates need to be made using Linux compatibility?

We're running on Linux, so no conversion required here. Looks like PEM to me.

ServerCACertificate points at the actual CA root certificate.
ServerCertificate is the intermediate certificate I created from that root. This intermediate certificate consists of the certificate and private key.
The password for that private key is stored in netxmsd.conf under ServerCertificatePassword.

The intermediate/ServerCertificate certificate looks like this:
-----BEGIN CERTIFICATE-----
[..]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
[..]
-----END RSA PRIVATE KEY-----

Cheers

Hi,

yes, certificates should be in PEM format, even on Windows.

Best regards,
Victor