On 3/19/19 3:49 AM, SebA wrote:
On Mon, 18 Mar 2019 at 23:36, Bruce Ferrell <bferrell at baywinds.org <mailto:bferrell at baywinds.org>> wrote:
On 3/18/19 11:25 AM, SebA wrote: > I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service. It would need to be > configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output. It doesn't create the sslcert column > either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway. > > Kind regards, > > SebA > What does the openssl s_client test do? openssl s_client -connect <host:port>Hi Bruce,
When the certificate is expired the result on openssl-1.0.2k-12.109.amzn1.x86_64 (the local server) is: Verify return code: 10 (certificate has expired) However, the result on openssl-1.0.2k-12.el7.x86_64 (on the Xymon server) is: Verify return code: 20 (unable to get local issuer certificate)
Once the certificate is renewed the result on both versions is: Verify return code: 0 (ok)
Kind regards,
SebA
That's intriguing enough I did some poking at the issue. I found some possibilities:
This error can happen if you're using a self-signed certificate with a |keyUsage| missing the value |keyCertSign|.
and
another possible solution is by passing path to a directory where CA keys are stored. i.e.
|openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443|
|Some systems pre-populate the CA keystore with a package called something like ca-certificates and if that's not loaded adding a CApath parameter will still fail.|
|||I'm not very surprised the the sslcert column isn't created though. Based on looking at my sslcert column, I think the https test is looking for web server header responses to go along with the certificate test and your service may not be sending those.|
|I suspect you may need to craft a custom test in a script, but that shouldn't be too bad.|
| |
| |
| |
||| | |
|