NetXMS Support Forum

I have installed an agent on windows with the option "ServerConnection = <some ip>". At start it make connection the the server and actived a tunnel. Bus after some minutes the download certificates are saved. As soon the certificates are saved, the connection doesn't work anymore.

2018.01.05 14:17:20.812 *I* Successfully registered on management server <server ip>
2018.01.05 14:17:20.813 *D* [tunnel             ] Tunnel manager started
2018.01.05 14:17:20.822 *D* [tunnel             ] <server ip>: Cannot open file "<some path>\nxagentd\certificates\CAD4EAF5F8DCF4FCEA57D70611528A9EEBE98007.crt" (No such file or directory)
2018.01.05 14:17:20.822 *D* [tunnel             ] <server ip>: Cannot open file "<some path>\nxagentd\certificates\060285B36125000000000000000000000000.crt" (No such file or directory)
2018.01.05 14:17:20.836 *D* [tunnel             ] <server ip>: Server certificate subject is <some data>
2018.01.05 14:17:20.836 *D* [tunnel             ] <server ip>: Server certificate issuer is <some data>
2018.01.05 14:17:20.837 *D* [VCS-1] Requesting parameter "System.PlatformName"
2018.01.05 14:17:20.837 *D* [VCS-1] GetParameterValue(): result is 0 (SUCCESS)
2018.01.05 14:17:20.837 *D* [VCS-1] Requesting parameter "System.UName"
2018.01.05 14:17:20.837 *D* [VCS-1] GetParameterValue(): result is 0 (SUCCESS)
2018.01.05 14:17:20.838 *D* [tunnel             ] <server ip>: Sending message CMD_SETUP_AGENT_TUNNEL
2018.01.05 14:17:20.842 *D* [tunnel             ] <server ip>: Received message CMD_REQUEST_COMPLETED
2018.01.05 14:17:20.842 *D* [tunnel             ] <server ip>: Tunnel is active
2018.01.05 14:17:21.813 *D* [db.query           ] {0000017DCADD11E0} Successful prepare: "SELECT value FROM registry WHERE attribute=?" [0 ms]
2018.01.05 14:17:21.813 *D* [db.query           ] {0000017DCADD11E0} bind at pos 1: "upgrade.file"
2018.01.05 14:17:21.814 *D* [db.query           ] Successful prepared sync query: "SELECT value FROM registry WHERE attribute=?" [0 ms]
2018.01.05 14:17:21.815 *D* [db.query           ] Successful sync query: "SELECT guid,type FROM agent_policy" [0 ms]
2018.01.05 14:17:21.816 *I* NetXMS Agent started
2018.01.05 14:17:50.843 *D* [tunnel             ] <server ip>: Sending message CMD_KEEPALIVE
2018.01.05 14:17:50.847 *D* [tunnel             ] <server ip>: Received message CMD_KEEPALIVE
2018.01.05 14:17:58.419 *D* [tunnel             ] <server ip>: Received message CMD_BIND_AGENT_TUNNEL
2018.01.05 14:17:58.511 *D* [tunnel             ] <server ip>: Sending message CMD_REQUEST_CERTIFICATE
2018.01.05 14:17:58.518 *D* [tunnel             ] <server ip>: Received message CMD_NEW_CERTIFICATE
2018.01.05 14:17:58.529 *D* [tunnel             ] <server ip>: Certificate and private key saved
2018.01.05 14:17:58.529 *D* [tunnel             ] <server ip>: Sending message CMD_REQUEST_COMPLETED
2018.01.05 14:17:58.533 *D* [tunnel             ] <server ip>: Received message CMD_RESET_TUNNEL
2018.01.05 14:17:58.534 *D* [tunnel             ] <server ip>: Receiver thread stopped (tunnel reset)
2018.01.05 14:18:20.573 *D* DataCollector: sleeping for 60 seconds
2018.01.05 14:18:20.848 *D* [tunnel             ] <server ip>: Resetting tunnel
2018.01.05 14:18:20.863 *D* [tunnel             ] <server ip>: Certificate and private key loaded
2018.01.05 14:18:20.881 *D* [tunnel             ] <server ip>: TLS handshake failed (error:00000001:lib(0):func(0):reason(1))
2018.01.05 14:18:50.892 *D* [tunnel             ] <server ip>: Certificate and private key loaded
2018.01.05 14:18:50.909 *D* [tunnel             ] <server ip>: TLS handshake failed (error:00000001:lib(0):func(0):reason(1))
2018.01.05 14:19:20.573 *D* DataCollector: sleeping for 60 seconds

Hi,

do you have other tunnels working? It could be certificate validation issue - you can check tunnel log on server side for more information.

Best regards,
Victor

I am having the same error message of TLS handshake failed (error:00000001:lib(0):func(0):reason(1)).
This is my first tunnel created.
NetXMS 2.2.1
I am on Windows 2008R2. I downloaded openssl for Windows. The below openssl.cnf is default as installed.

On the NetXMS server, I did the following:
openssl genrsa -out rootCA.key 2048
openssl req -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf" -x509 -new -key rootCA.key -days 2038 -out rootCA.crt
openssl genrsa -out server.key 2048
openssl req -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf" -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out server.crt -days 2038

I placed rootCA.crt, server.crt, and server.key into D:\NetXMS\etc\cert

I added the following to netxmsd.conf and restarted the NetXMS core service

ServerCACertificate = D:\NetXMS\etc\cert\rootCA.crt
ServerCertificate = D:\NetXMS\etc\cert\server.crt
ServerCertificateKey = D:\NetXMS\etc\cert\server.key

On the agent I have the following in the nxagentd config file

MasterServers = 172.16.0.47
ServerConnection = 24.xx.xxx.xxx

The agent connects to the server and I see the tunnel in the tunnel manager. After I bind the tunnel to a node, I get the TLS handshake failed error. My log messages appear in the agent log just as posted by danny.richardson.

I was able to resolve my issue (which, according to the logs, is the same as yours) and perhaps this will help. I'm going to start at the beginning even though you already have of the steps completed (since you get the tunnel to come up initially)

I'm on Windows 2008R2
I port forwarded TCP 4703 to my NetXMS server on my firewall
NetXMS server program is already added to Windows firewall (but check on this)
I have a Linux Mint Virtualbox that i used for the openssl commands. Windows openssl I imagine would work, but I had the Linux box and it was faster than formatting the provided openssl.conf files to a Windows install.
Follow creating the root pair as shown here:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Make sure you copy the config file from the Appendix as it is says in the directions
Follow creating the intermediate pair as shown here:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
Make sure you copy the config file from the Appendix as it is says in the directions
When it says chmod 400, I did 444, so I could edit the files (later step)
You do not need to create the certificate chain file, as it will not be used (I tried, it doesn't work)
Edit the intermediate.cert.pem file and add the text from the intermediate.key.pem at the bottom so you have
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
stuff
-----END RSA PRIVATE KEY-----
I think you need a blank line at the end of the pem files. So make sure can put the cursor down under the -----END RSA PRIVATE KEY----- indicating there is a blank line there
Copy ca.cert.pem and intermediate.cert.pem to your NetXMS server. I put them in D:\NetXMS\etc\cert
Add the following to netxmsd.conf
ServerCACertificate = D:\NetXMS\etc\cert\ca.cert.pem
ServerCertificate = D:\NetXMS\etc\cert\intermediate.cert.pem
ServerCertificatePassword = secretpassword
Restart the NetXMS Core service

On the node/agent add the following to the nxagentd.conf where the x's are your public IP (or whatever the nodes will be tunneling to)
MasterServers = xxx.xxx.xxx.xxx
ServerConnection = xxx.xxx.xxx.xxx
Restart the NetXMS Agent service

In NetXMS Management Console go to Configuration/Agent Tunnel Manager. You should see the Unbound tunnel. Right click and create node and bind. I left the Primary host name blank. Although I have seen posts where you set it to 0.0.0.0 or the IP of the agent (not sure if that is the public or the local IP). When I set it to 0.0.0.0 it changes the name to not what I want. I left it blank, it has been working and I get the name I set.

Most of what I have here isn't new. I just consolidated it into one place.
This post was a big help https://www.netxms.org/forum/configuration/agent-to-server-connections/msg22308/#msg22308