search

glpi-project / glpi-agent

GLPI Agent
GNU General Public License v2.0
240 stars 60 forks source link

Slow inventory because of certutil on some computer #560

Closed krenaudUR closed 9 months ago

krenaudUR commented 9 months ago

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

Hello, I don't think it's really related to GLPI agent, but maybe someone have the solution. On some computer every hour, it's do that if I try to force inventory (If I try to force inventory before 1 hour it's doing the inventory without that) :

[Wed Dec 20 11:19:08 2023][debug] [http client] Updating keystore known certificates [Wed Dec 20 11:19:08 2023][debug2] Changing to 'C:/Program Files/GLPI-Agent/var/keystore-export-hQfI0E' temporary folder [Wed Dec 20 11:19:08 2023][debug2] executing certutil -Silent -Split -Store CA [Wed Dec 20 11:19:11 2023][debug2] executing certutil -Silent -Split -Store Root [Wed Dec 20 11:19:12 2023][debug2] executing certutil -Silent -Split -Enterprise -Store CA [Wed Dec 20 11:19:14 2023][debug2] executing certutil -Silent -Split -Enterprise -Store Root [Wed Dec 20 11:19:16 2023][debug2] executing certutil -Silent -Split -GroupPolicy -Store CA [Wed Dec 20 11:19:17 2023][debug2] executing certutil -Silent -Split -GroupPolicy -Store Root [Wed Dec 20 11:19:19 2023][debug2] executing certutil -Silent -Split -User -Store CA [Wed Dec 20 11:19:20 2023][debug2] executing certutil -Silent -Split -User -Store Root [Wed Dec 20 11:19:22 2023][debug2] executing certutil -encode 007790f6561dad89b0bcd85585762495e358f8a5.crt temp.cer [Wed Dec 20 11:19:24 2023][debug2] executing certutil -encode 0119e81be9a14cd8e22f40ac118c687ecba3f4d8.crt temp.cer [Wed Dec 20 11:19:25 2023][debug2] executing certutil -encode 0185ff9961ff0aa2e431817948c28e83d3f3ec70.crt temp.cer [Wed Dec 20 11:19:27 2023][debug2] executing certutil -encode 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.crt temp.cer [Wed Dec 20 11:19:28 2023][debug2] executing certutil -encode 06f1aa330b927b753a40e68cdf22e34bcbef3352.crt temp.cer [Wed Dec 20 11:19:30 2023][debug2] executing certutil -encode 09d3b2af97a5a4e6a49c6005e1a3165fdba8e22e.crt temp.cer [Wed Dec 20 11:19:32 2023][debug2] executing certutil -encode 109f1caed645bb78b3ea2b94c0697c740733031c.crt temp.cer [Wed Dec 20 11:19:33 2023][debug2] executing certutil -encode 18f7c1fcc3090203fd5baa2f861a754976c8dd25.crt temp.cer [Wed Dec 20 11:19:35 2023][debug2] executing certutil -encode 1906dcf62629b563252c826fdd874efceb6856c6.crt temp.cer [Wed Dec 20 11:19:36 2023][debug2] executing certutil -encode 245c97df7514e7cf2df8be72ae957b9e04741e85.crt temp.cer [Wed Dec 20 11:19:38 2023][debug2] executing certutil -encode 28c9701ac1ab3ae99ec22ba7b4ac19800d17653b.crt temp.cer [Wed Dec 20 11:19:39 2023][debug2] executing certutil -encode 31f9fc8ba3805986b721ea7295c65b3a44534274.crt temp.cer [Wed Dec 20 11:19:41 2023][debug2] executing certutil -encode 329b78a5c9ebc2043242de90ce1b7c6b1ba6c692.crt temp.cer [Wed Dec 20 11:19:42 2023][debug2] executing certutil -encode 3b1efd3a66ea28b16697394703a72ca340a05bd5.crt temp.cer [Wed Dec 20 11:19:44 2023][debug2] executing certutil -encode 4406cbb0e5fac5409a2bbe7f1e8495b3c50becea.crt temp.cer [Wed Dec 20 11:19:45 2023][debug2] executing certutil -encode 4b6c9b6a766ed3761834ce9e122c8741a64ebdcd.crt temp.cer [Wed Dec 20 11:19:47 2023][debug2] executing certutil -encode 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.crt temp.cer [Wed Dec 20 11:19:48 2023][debug2] executing certutil -encode 60ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e3.crt temp.cer [Wed Dec 20 11:19:50 2023][debug2] executing certutil -encode 645984515ab9fb7ae8065b9ddb0e908f8e870ed5.crt temp.cer [Wed Dec 20 11:19:51 2023][debug2] executing certutil -encode 7032abe7d21ee74edd1478f24d39f8cce1744308.crt temp.cer [Wed Dec 20 11:19:53 2023][debug2] executing certutil -encode 70411c540e99eed5981971c82dd1b00934cf88e6.crt temp.cer [Wed Dec 20 11:19:54 2023][debug2] executing certutil -encode 77a10ebf07542725218cd83a01b521c57bc67f73.crt temp.cer [Wed Dec 20 11:19:56 2023][debug2] executing certutil -encode 7f88cd7223f3c813818c994614a89c99fa3b5247.crt temp.cer [Wed Dec 20 11:19:57 2023][debug2] executing certutil -encode 83da05a9886f7658be73acf0a4930c0f99b92f01.crt temp.cer [Wed Dec 20 11:19:59 2023][debug2] executing certutil -encode 8f43288ad272f3103b6fb1428485ea3014c0bcfe.crt temp.cer [Wed Dec 20 11:20:00 2023][debug2] executing certutil -encode 92b46c76e13054e104f230517e6e504d43ab10b5.crt temp.cer [Wed Dec 20 11:20:02 2023][debug2] executing certutil -encode a43489159a520f0d93d032ccaf37e7fe20a8b419.crt temp.cer [Wed Dec 20 11:20:03 2023][debug2] executing certutil -encode aa8357cd59838a89f41afec0045449cbaf70aa47.crt temp.cer [Wed Dec 20 11:20:05 2023][debug2] executing certutil -encode be36a4562fb2ee05dbb3d32323adf445084ed656.crt temp.cer [Wed Dec 20 11:20:07 2023][debug2] executing certutil -encode c1185f56116a1f5f8917141e2cd98de467ec1065.crt temp.cer [Wed Dec 20 11:20:08 2023][debug2] executing certutil -encode c7ed7bf076120309f682577fe7b29a7593e9889c.crt temp.cer [Wed Dec 20 11:20:10 2023][debug2] executing certutil -encode cdd4eeae6000ac7f40c3802c171e30148030c072.crt temp.cer [Wed Dec 20 11:20:11 2023][debug2] executing certutil -encode d38555d912d90bac9adbc938cf83725bc8dae2fe.crt temp.cer [Wed Dec 20 11:20:13 2023][debug2] executing certutil -encode d4ffdb19ba590fffaa34db5f4b568706a2978436.crt temp.cer [Wed Dec 20 11:20:14 2023][debug2] executing certutil -encode d559a586669b08f46a30a133f8a9ed3d038e2ea8.crt temp.cer [Wed Dec 20 11:20:16 2023][debug2] executing certutil -encode e20692d8b96f693d5bb062004d826af8d14925f2.crt temp.cer [Wed Dec 20 11:20:17 2023][debug2] executing certutil -encode ebe112f56d5fe0ba23289319c89d7784a10ceb61.crt temp.cer [Wed Dec 20 11:20:19 2023][debug2] executing certutil -encode f8724c508bf9a3c25cf14b5636e5745e829ef659.crt temp.cer [Wed Dec 20 11:20:20 2023][debug2] executing certutil -encode fee449ee0e3965a5246f000e87fde2a065fd89d4.crt temp.cer [Wed Dec 20 11:20:22 2023][debug2] Changing back to 'C:/Program Files/GLPI-Agent/perl/bin' folder

The certificate works because on others computers the inventory is starting without these things. It's kinda random, some computer does that and others don't.

It happened since I changed the certificate, but I'm suspecting it's trying to replace data from the previous certificate, but I didn't find where I can delete the previous memory of that.

I already tried to uninstall glpi agent and check if the registry key and file still exist after uninstall, but no, all was deleted.

After all of this, it's still working, but it's slowing the process. In normal condition the inventory is done in 1 minutes or less, but with that it's more than 2 or 3 minutes.

Tell me If I can provide more information to help (in the meantime, here's the full agent log with debug 2 and setting of the agent (only thing that change between computers is the proxy settings) with * on “sensitive” information) glpi-agent.log glpiconfig.txt

ps : I can write in French if it's easier to understand or to help.

To reproduce

Hard to reproduce because it's not really a GLPI problem, but more about the computer itself with the certificate.

But tell me if I can do something to help you about that.

  1. Force Inventory on the agent
  2. The inventory is slowed by certutil

Expected behavior

The inventory starting right away.

Operating system

Windows

GLPI Agent version

1.6.1

GLPI version

10.0.x (See additional context below)

GLPIInventory plugin or FusionInventory for GLPI plugin version

GLPI Inventory v1.x.x (See additional context below)

Additional context

GLPI Server : 10.0.11 GLPI Inventory : 1.3.4

g-bougard commented 9 months ago

Hi @krenaudUR

actually the windows keystore export is cached for one hour. The keystore export is used in the case you use it to deploy the GLPI server certificate. The only case it is not used is when you set ca-cer-dir to some folder. So can you try to set it to something like C:\Program Files\GLPI-Agent\etc.

Indeed maybe we should also remove keystore export in the case ca-cert-file or ssl-fingerprint are also set as they are intended to authentify server.

Also as the export process could be long (more than a minute in your case), I'll study other possibilities. For example an option to identify which certificate to export could be nice.

So by now, can you just set ca-cert-dir as work-around ? The folder and its content are not important if you also specify ca-cert-file.

krenaudUR commented 9 months ago

Hi @krenaudUR

actually the windows keystore export is cached for one hour. The keystore export is used in the case you use it to deploy the GLPI server certificate. The only case it is not used is when you set ca-cer-dir to some folder. So can you try to set it to something like C:\Program Files\GLPI-Agent\etc.

Indeed maybe we should also remove keystore export in the case ca-cert-file or ssl-fingerprint are also set as they are intended to authentify server.

Also as the export process could be long (more than a minute in your case), I'll study other possibilities. For example an option to identify which certificate to export could be nice.

So by now, can you just set ca-cert-dir as work-around ? The folder and its content are not important if you also specify ca-cert-file.

Hi @g-bougard

I tried to put in ca-cert-dir : C:\Program Files\GLPI-Agent\etc (I deleted ca-cert-file option)

but after I restart the service and force an inventory, I have an error in the log:

[Wed Dec 20 17:47:39 2023][error] [http client] internal response: 500 Can't connect to glpi.**.***-.fr:443 (Bad file descriptor), SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Wed Dec 20 17:47:39 2023][error] No supported answer from server at https://glpi..-****.fr/plugins/glpiinventory

g-bougard commented 9 months ago

@krenaudUR

sorry, I forgot you can't use ca-cert-file and ca-cert-dir at the same time. So you need to move your cert file in the ca-cert-dir folder. It must be renamed following the explanation you'll find for the CA_CERT_DIR parameter in this documentation: https://glpi-agent.readthedocs.io/en/latest/installation/windows-command-line.html

Another solution, still set ca-cert-dir to a folder without any certificate but setup ssl-fingerprint to authenticate the server certificate (run one time with --no-ssl-check to obtain the right value). The use of that 2 configuration parameters is not prohibited.

I really think to remove keystore export if ca-cert-file or ssl-fingerprint is set. I think I'll that for the next release I planned for tomorrow. By now, I don't see any reason to export the keystore if we use one of these parameters.

krenaudUR commented 9 months ago

@g-bougard

It's work, I obtain the hash from my .pem and rename the .pem with hash.0 and now it's works.

But I think I will wait for the remove of the keystore export with ca-cert-file because It's make me change policy of existing computers to ca-cert-file to ca-cert-dir and adding or renaming .pem by hash.0

thanks

g-bougard commented 9 months ago

@krenaudUR Just in case, GLPI Agent 1.7 has been published.

krenaudUR commented 9 months ago

@krenaudUR Just in case, GLPI Agent 1.7 has been published.

@g-bougard Okay, thanks, I will try in January. I don't want to break it all (I'm sure It will not but just in case) before holidays

g-bougard commented 9 months ago

It would be nice if you still can validate it works as expected with at least one computer.

krenaudUR commented 9 months ago

It would be nice if you still can validate it works as expected with at least one computer.

@g-bougard Okay I will try on my computer tomorrow and tell you

krenaudUR commented 9 months ago

Hi @g-bougard

It seems to work with 1.7, I don't have any keystore export in the log now with ca-cert-file