NetXMS Support Forum

Hello,

While setting up agent tunneling I've passed a folder for the TrustedRootCertificate config however after looking at the logs verification of the certificate still fails.

When pointing the path at the .crt file directly the verification succeeds and the agent is able to connect.

This is my configuration.

ServerConnection = REDACTED:4703
MasterServers = REDACTED
ConfigIncludeDir = C:\NetXMS\etc\nxagentd.conf.d
#LogFile = {syslog}
LogFile = C:\NetXMS\log\log.log
DebugLevel = 6
FileStore = C:\NetXMS\var
SubAgent = bind9
SubAgent = filemgr
SubAgent = ping
SubAgent = logwatch
SubAgent = mqtt
SubAgent = netsvc
SubAgent = ssh
SubAgent = wineventsync
SubAgent = winperf
SubAgent = wmi
SubAgent = ups
EnableProxy = yes
EnableSNMPProxy = yes
EnableSNMPTrapProxy = yes
EnableSyslogProxy = yes
EnableTCPProxy = yes
RequireAuthentication = yes
RequireEncryption = yes
EnabledCiphers = 1
SharedSecret = REDACTED

TrustedRootCertificate=C:\NetXMS\var\certs\rootCA.crt # This works
#TrustedRootCertificate=C:\NetXMS\var\certs\ # This does not
VerifyServerCertificate=yes

[filemgr]
RootFolder = C:/NetXMS # read/write access

ZoneUIN = 2
ZoneId = 2

[ServerConnection/REDACTED]
Hostname=REDACTED
Port=4703

The agent is running under windows.

The log shows that the folder has been successfully added as trusted but certificate version fails.
I'm unsure if this is a configuration error on my part or something else, any ideas?
Thanks!

Can you give some insight in your use case, why a folder is needed? By the way, you can have several certs in one file.

Providing a folder is supported, but the folder should prepared in a way that openssl library needs. On Linux this is done with symlinks named by cert hashes, you can find some details in comment under that question: https://unix.stackexchange.com/questions/688608/is-it-possible-to-install-a-custom-ca-certificate-without-the-ca-certificates-pa

Hi, thanks for getting back to me.

In my mind I wanted to use folders so that once the Root CA that is used to issue to certificates for Agent Tunnels gets close to expiry I am able to issue a new one, provide that one to the agents and only once that is done update the certificate on the NetXMS server, removing the old one. By having both certificates in the folder it would allow me to rollback to the old certificate on the server in case something goes wrong and I lose connection to all my agents.

I wanted to do it this way to avoid having to log on each machine whenever it's time to renew the CA.

It should be possible to specify several TrustedRootCertificate entries in agent configuration file.

Also both on Windows and Linux agent should add certs from the system store.