Xtraim
commented
2 years ago Better to modify your post and anonymize/blur a little bit sensitive information as anyone can see this post.
Closed brunojsilv closed 2 years ago
Xtraim
commented
2 years ago Better to modify your post and anonymize/blur a little bit sensitive information as anyone can see this post.
ddurieux
commented
2 years ago Hi, you need update your system with the certificates, you know U-P-D-A-T-E THE SYSTEM :D. So, it will update the ca_root_nss package
brunojsilv
commented
2 years ago I'm on Ubuntu 20.04 LTS with all packages updated and I keep getting the same error message on certificate verification.
We also use Windows 10 workstations with all Windows Updates installed and the latest agent version as well.
g-bougard
commented
2 years ago Hi,
in the case, you can't update the system, you still can try to upgrade the ca-bundle.crt file by taking the lastest on https://curl.se/docs/caextract.html
On Fedora systems it is provided by ca-certificates and is put on /etc/pki/tls/certs/ca-bundle.crt but can be anywhere else on other systems. On Ubuntu, you may try update-ca-certificates command if available. On Windows 10, you have to search the ca-bundle.crt file under the installation folder and upgrade it.
guillomovitch
commented
2 years ago As for any other case of validating a single server certificate under your control, you don't need to rely on a system-wide list of trusted AC, just the single one which delivered this certificate. Just download the ISRG Root X1 certificate, and configure your agents to use it to validate your GLPI server certificate.
brunojsilv
commented
2 years ago Ok, thanks everyone for the guidance. I will include the root certificate in our workstations operating systems.
We use the FusionInventory agent on our company's workstations, they send the inventory to our GLPI server.
Our GLPI server is HTTPS certified by the Let's Encrypt certification authority.
Since the beginning of October, our computers have stopped sending automatic inventory to our GLPI server.
After an investigation and several executions of agents with different configurations, we identified that the verification of the HTTPS certificate issued by Let's Encrypt had failed. (Attached image)
According to Let's Encrypt, from September 30th onwards, the old root certificate used by them (DST Root CA X3) would no longer be valid, only the new root certificate (ISRG Root X1) will be valid for issuing all certificates HTTPS after the quoted date.
According to the tests carried out, the FusionInventory agent does not trust the new ISRG Root X1 certificate from Let's Encrypt and issues the failure message in the verification of the HTTPS certificate issued to our GLPI.
To partially solve the problem, we've configured our agents to send inventory over unsecured connections (HTTP) to our GLPI server, but we'll also wait for an update from the FusionInventory agent that brings trust in Let's Encrypt's new root certificate.
Image captured from a Linux terminal running the FusionInventory agent:
Let's Encrypt Documentation of Root Certificate Exchange