14.2 gw connector doesn't start with check sslcert enabled

hi,

after upgrading to gms 14.2 the gw connector doesn't start when the option check ssl cert is enabled. running mcheck reavealed some issues with the ca store. after updating the mob_ca.pem with the chained ca mcheck doesnt show any errors. for this to work i changed the poa ip address to the dns name of the server holding the poa.

any hints how to get the connector work with the ssl check option enabled?

thx
Parents
  • Bahsig,
    > any hints how to get the connector work with the ssl check option
    > enabled?


    Any errors in the logs?

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    http://www.novell.com/rms

  • Anders Gustafsson;2416160 wrote:
    Bahsig,
    > any hints how to get the connector work with the ssl check option
    > enabled?


    Any errors in the logs?

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    http://www.novell.com/rms


    OK,

    first we use a wildcard domain certificate which has to be chained in order to be varified. no problem so far.
    here is the output
    gms01:/var/lib/datasync/mobility # openssl s_client -showcerts -CAfile mob_ca.pem -connect mail.intra.bahsig.de:7191
    CONNECTED(00000003)
    depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    verify return:1
    depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
    verify return:1
    depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    verify return:1
    depth=0 /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
    verify return:1
    ---
    Certificate chain
    0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    -----BEGIN CERTIFICATE-----
    *******
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1869 bytes and written 300 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : ECDHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: *****
    Key-Arg : None
    Start Time: 1452362480
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    read:errno=0


    But the groupwise-agent.log says
    ERROR [CP WSGIServer Thread-3] [gwsoap:408] [userID:(no user)] [eventID:] [objectID:] [SOAPRequest] SSL error when talking to a POA. Response string: None; Exception: [Errno 1] _ssl.c:497: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Traceback (most recent call last):
    File "./groupwise/lib/gwsoap.py", line 394, in soapRequest
    File "/opt/novell/datasync/common/lib/suds/client.py", line 540, in __call__
    return client.invoke(args, kwargs)
    File "/opt/novell/datasync/common/lib/suds/client.py", line 600, in invoke
    result = self.send(soapenv)
    File "/opt/novell/datasync/common/lib/suds/client.py", line 635, in send
    reply = transport.send(request)
    File "./groupwise/lib/gwsoapclient.py", line 129, in send
    File "/opt/novell/datasync/common/lib/requests/requests/api.py", line 99, in post
    return request('post', url, data=data, json=json, **kwargs)
    File "/opt/novell/datasync/common/lib/requests/requests/api.py", line 49, in request
    response = session.request(method=method, url=url, **kwargs)
    File "/opt/novell/datasync/common/lib/requests/requests/sessions.py", line 461, in request
    resp = self.send(prep, **send_kwargs)
    File "/opt/novell/datasync/common/lib/requests/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
    File "/opt/novell/datasync/common/lib/requests/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
    SSLError: [Errno 1] _ssl.c:497: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


    maybe the mob_ca.pem file is misconfigured with the intermediate ca.
  • when i try to start the groupwise connector via admin console i get the following error:
    Error: Please verify that the Connector Manager is running and that the connectors.xml is correctly configured.
  • i found the error.

    the mob_ca.pem didn't hold the root ca but only the intermediate ones. i added the root ca et voilà the groupwise connector is starting without any errors.
  • Bahsig,
    > the mob_ca.pem didn't hold the root ca but only the intermediate ones. i
    > added the root ca et voil? the groupwise connector is starting without
    > any errors.


    Great. Glad you got it fixed. Those cert stuff errors can be pesky.
    Especielly with intermediates as they often _seem_ fine when checked.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    http://www.novell.com/rms

  • Hi and thanks for any advice, 14.2 GW connector is working now for me but still not able to connect from the devices.

    2016-07-29 14:16:10.138 INFO [MainThread] [GenericApplicationInterface:275] [userID:] [eventID:] [objectID:] [] Starting Connector Application Interface v14.2.0 279.
    2016-07-29 14:16:13.952 ERROR [CP WSGIServer Thread-3] [DeviceInterface:139] [userID:] [eventID:] [objectID:] [] Auth driver issue: gw_driver instance has no attribute 'logger'
    2016-07-29 14:16:13.969 ERROR [DeviceInterfaceMonitor_Thread] [DeviceInterface:209] [userID:] [eventID:] [objectID:] [Server] Problem with SSL [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

    Lenin
  • Ohico,
    > 2016-07-29 14:16:13.969 ERROR [DeviceInterfaceMonitor_Thread]
    > [DeviceInterface:209] [userID:] [eventID:] [objectID:] [Server] Problem
    > with SSL [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL
    > routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]


    That would point towards the certificate being wrong.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html

  • Thanks AndersG for your Answer, I will check the certificate.
Reply Children
No Data