Closed krenaudUR closed 9 months ago
Hi @krenaudUR
actually the windows keystore export is cached for one hour. The keystore export is used in the case you use it to deploy the GLPI server certificate. The only case it is not used is when you set ca-cer-dir
to some folder. So can you try to set it to something like C:\Program Files\GLPI-Agent\etc
.
Indeed maybe we should also remove keystore export in the case ca-cert-file
or ssl-fingerprint
are also set as they are intended to authentify server.
Also as the export process could be long (more than a minute in your case), I'll study other possibilities. For example an option to identify which certificate to export could be nice.
So by now, can you just set ca-cert-dir
as work-around ?
The folder and its content are not important if you also specify ca-cert-file
.
Hi @krenaudUR
actually the windows keystore export is cached for one hour. The keystore export is used in the case you use it to deploy the GLPI server certificate. The only case it is not used is when you set
ca-cer-dir
to some folder. So can you try to set it to something likeC:\Program Files\GLPI-Agent\etc
.Indeed maybe we should also remove keystore export in the case
ca-cert-file
orssl-fingerprint
are also set as they are intended to authentify server.Also as the export process could be long (more than a minute in your case), I'll study other possibilities. For example an option to identify which certificate to export could be nice.
So by now, can you just set
ca-cert-dir
as work-around ? The folder and its content are not important if you also specifyca-cert-file
.
Hi @g-bougard
I tried to put in ca-cert-dir : C:\Program Files\GLPI-Agent\etc (I deleted ca-cert-file option)
but after I restart the service and force an inventory, I have an error in the log:
[Wed Dec 20 17:47:39 2023][error] [http client] internal response: 500 Can't connect to glpi.**.***-.fr:443 (Bad file descriptor), SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Wed Dec 20 17:47:39 2023][error] No supported answer from server at https://glpi..-****.fr/plugins/glpiinventory
@krenaudUR
sorry, I forgot you can't use ca-cert-file
and ca-cert-dir
at the same time. So you need to move your cert file in the ca-cert-dir
folder. It must be renamed following the explanation you'll find for the CA_CERT_DIR
parameter in this documentation: https://glpi-agent.readthedocs.io/en/latest/installation/windows-command-line.html
Another solution, still set ca-cert-dir
to a folder without any certificate but setup ssl-fingerprint
to authenticate the server certificate (run one time with --no-ssl-check
to obtain the right value). The use of that 2 configuration parameters is not prohibited.
I really think to remove keystore export if ca-cert-file
or ssl-fingerprint
is set. I think I'll that for the next release I planned for tomorrow. By now, I don't see any reason to export the keystore if we use one of these parameters.
@g-bougard
It's work, I obtain the hash from my .pem and rename the .pem with hash.0 and now it's works.
But I think I will wait for the remove of the keystore export with ca-cert-file because It's make me change policy of existing computers to ca-cert-file to ca-cert-dir and adding or renaming .pem by hash.0
thanks
@krenaudUR Just in case, GLPI Agent 1.7 has been published.
@krenaudUR Just in case, GLPI Agent 1.7 has been published.
@g-bougard Okay, thanks, I will try in January. I don't want to break it all (I'm sure It will not but just in case) before holidays
It would be nice if you still can validate it works as expected with at least one computer.
It would be nice if you still can validate it works as expected with at least one computer.
@g-bougard Okay I will try on my computer tomorrow and tell you
Hi @g-bougard
It seems to work with 1.7, I don't have any keystore export in the log now with ca-cert-file
Bug reporting acknowledgment
Yes, I read it
Professional support
None
Describe the bug
Hello, I don't think it's really related to GLPI agent, but maybe someone have the solution. On some computer every hour, it's do that if I try to force inventory (If I try to force inventory before 1 hour it's doing the inventory without that) :
The certificate works because on others computers the inventory is starting without these things. It's kinda random, some computer does that and others don't.
It happened since I changed the certificate, but I'm suspecting it's trying to replace data from the previous certificate, but I didn't find where I can delete the previous memory of that.
I already tried to uninstall glpi agent and check if the registry key and file still exist after uninstall, but no, all was deleted.
After all of this, it's still working, but it's slowing the process. In normal condition the inventory is done in 1 minutes or less, but with that it's more than 2 or 3 minutes.
Tell me If I can provide more information to help (in the meantime, here's the full agent log with debug 2 and setting of the agent (only thing that change between computers is the proxy settings) with * on “sensitive” information) glpi-agent.log glpiconfig.txt
ps : I can write in French if it's easier to understand or to help.
To reproduce
Hard to reproduce because it's not really a GLPI problem, but more about the computer itself with the certificate.
But tell me if I can do something to help you about that.
Expected behavior
The inventory starting right away.
Operating system
Windows
GLPI Agent version
1.6.1
GLPI version
10.0.x (See additional context below)
GLPIInventory plugin or FusionInventory for GLPI plugin version
GLPI Inventory v1.x.x (See additional context below)
Additional context
GLPI Server : 10.0.11 GLPI Inventory : 1.3.4