Problem creating tunnel between server and agent

Started by dj, May 20, 2020, 03:57:40 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

Victor Kirhenshtein

#15
June 17, 2020, 09:45:43 AM
From server log it looks like certificate validation error. One of common reasons is incomplete certificate chain. Did you provide root CA certificate and all intermediate CA certificates in server configuration?

Best regards,
Victor

dj

#16
June 18, 2020, 02:28:08 PM
Quote from: Victor Kirhenshtein on June 17, 2020, 09:45:43 AM
Did you provide root CA certificate and all intermediate CA certificates in server configuration?

Hi Victor,

yes - I have and hopefully in the correct way..:

ServerCACertificate = v:\netxms\etc\ca.cer  (contains the domain's root certificate "CAROOT")
ServerCertificate = c:\netxms\etc\cert.cer (contains the netxms server's certificate, issued by "CAROOT")
ServerCertificateKey = c:\netxms\etc\netxms.key (contains the private key for the server's certificate)

there's no intermediate CA in our system...

Best...
Detlev

Victor Kirhenshtein

#17
June 18, 2020, 02:52:37 PM
Is it typo when copying here or actual typo in your config, or correct configuration (v: and c:)?
Code Select

ServerCACertificate = v:\netxms\etc\ca.cer
ServerCertificate = c:\netxms\etc\cert.cer

Also, are there any messages about certificate loading on server startup?

Best regards,
Victor

dj

#18
June 22, 2020, 07:14:14 AM
Quote from: Victor Kirhenshtein on June 18, 2020, 02:52:37 PM
Is it typo when copying here or actual typo in your config, or correct configuration (v: and c:)?
Code Select

ServerCACertificate = v:\netxms\etc\ca.cer
ServerCertificate = c:\netxms\etc\cert.cer

Also, are there any messages about certificate loading on server startup?

Hi Victor,

the drive letter is just a typo... I have disabled copy function between vm console and my desktop, so I quickly typed it in.

The server's log is showing:

2020.06.22 05:54:54.459 *I* [                   ] Crypto library initialized (OpenSSL 1.1.1g  21 Apr 2020)
2020.06.22 05:54:54.459 *D* [                   ] Server certificate loaded
2020.06.22 05:54:54.459 *D* [                   ] Using server certificate key

and the agent receives it correctly when establishing the unbound tunnel

*D* [tunnel             ] 192.168.10.6: Server certificate subject is /C=DE/ST=NW/.....
*D* [tunnel             ] 192.168.10.6: Server certificate issuer is /DC=de/DC=.....


Best...
Detlev

Victor Kirhenshtein

#19
June 22, 2020, 04:17:47 PM
What is debug level? You should see lines like "Adding CA certificate ..." on level 3 and more on level 5.

Best regards,
Victor

dj

#20
July 02, 2020, 11:42:55 AM
Quote from: Victor Kirhenshtein on June 22, 2020, 04:17:47 PM
What is debug level? You should see lines like "Adding CA certificate ..." on level 3 and more on level 5.
I have started a clean new attempt in DebugLevel 5 with SSLTrace switched on.

The agent sees the certificate of the server, and receives new certificates from server...

I have attached the agent log for your reference. It shows the "clean" start until the bind to node fails and a restart of agent after that...

Regards
Detlev


Print
Go Up Pages 1 2
User actions