Highlighted
Outstanding Contributor.
Outstanding Contributor.
1486 views

14.2 gw connector doesn't start with check sslcert enabled

hi,

after upgrading to gms 14.2 the gw connector doesn't start when the option check ssl cert is enabled. running mcheck reavealed some issues with the ca store. after updating the mob_ca.pem with the chained ca mcheck doesnt show any errors. for this to work i changed the poa ip address to the dns name of the server holding the poa.

any hints how to get the connector work with the ssl check option enabled?

thx

Norman
BahSIG Bahn-Signalbau GmbH
Labels (1)
0 Likes
8 Replies
Highlighted
Absent Member.
Absent Member.

Re: 14.2 gw connector doesn't start with check sslcert enabled

Bahsig,
> any hints how to get the connector work with the ssl check option
> enabled?


Any errors in the logs?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: 14.2 gw connector doesn't start with check sslcert enabl

Anders Gustafsson;2416160 wrote:
Bahsig,
> any hints how to get the connector work with the ssl check option
> enabled?


Any errors in the logs?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms


OK,

first we use a wildcard domain certificate which has to be chained in order to be varified. no problem so far.
here is the output
gms01:/var/lib/datasync/mobility # openssl s_client -showcerts -CAfile mob_ca.pem -connect mail.intra.bahsig.de:7191
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
*******
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=*.bahsig.de
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1869 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: *****
Key-Arg : None
Start Time: 1452362480
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0


But the groupwise-agent.log says
ERROR [CP WSGIServer Thread-3] [gwsoap:408] [userID:(no user)] [eventID:] [objectID:] [SOAPRequest] SSL error when talking to a POA. Response string: None; Exception: [Errno 1] _ssl.c:497: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Traceback (most recent call last):
File "./groupwise/lib/gwsoap.py", line 394, in soapRequest
File "/opt/novell/datasync/common/lib/suds/client.py", line 540, in __call__
return client.invoke(args, kwargs)
File "/opt/novell/datasync/common/lib/suds/client.py", line 600, in invoke
result = self.send(soapenv)
File "/opt/novell/datasync/common/lib/suds/client.py", line 635, in send
reply = transport.send(request)
File "./groupwise/lib/gwsoapclient.py", line 129, in send
File "/opt/novell/datasync/common/lib/requests/requests/api.py", line 99, in post
return request('post', url, data=data, json=json, **kwargs)
File "/opt/novell/datasync/common/lib/requests/requests/api.py", line 49, in request
response = session.request(method=method, url=url, **kwargs)
File "/opt/novell/datasync/common/lib/requests/requests/sessions.py", line 461, in request
resp = self.send(prep, **send_kwargs)
File "/opt/novell/datasync/common/lib/requests/requests/sessions.py", line 573, in send
r = adapter.send(request, **kwargs)
File "/opt/novell/datasync/common/lib/requests/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
SSLError: [Errno 1] _ssl.c:497: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


maybe the mob_ca.pem file is misconfigured with the intermediate ca.

Norman
BahSIG Bahn-Signalbau GmbH
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: 14.2 gw connector doesn't start with check sslcert enabl

when i try to start the groupwise connector via admin console i get the following error:
Error: Please verify that the Connector Manager is running and that the connectors.xml is correctly configured.

Norman
BahSIG Bahn-Signalbau GmbH
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

SOLVED: 14.2 gw connector doesn't start with check sslcert

i found the error.

the mob_ca.pem didn't hold the root ca but only the intermediate ones. i added the root ca et voilà the groupwise connector is starting without any errors.

Norman
BahSIG Bahn-Signalbau GmbH
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: 14.2 gw connector doesn't start with check sslcert enabled

Bahsig,
> the mob_ca.pem didn't hold the root ca but only the intermediate ones. i
> added the root ca et voil? the groupwise connector is starting without
> any errors.


Great. Glad you got it fixed. Those cert stuff errors can be pesky.
Especielly with intermediates as they often _seem_ fine when checked.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: 14.2 gw connector doesn't start with check sslcert enabl

Hi and thanks for any advice, 14.2 GW connector is working now for me but still not able to connect from the devices.

2016-07-29 14:16:10.138 INFO [MainThread] [GenericApplicationInterface:275] [userID:] [eventID:] [objectID:] [] Starting Connector Application Interface v14.2.0 279.
2016-07-29 14:16:13.952 ERROR [CP WSGIServer Thread-3] [DeviceInterface:139] [userID:] [eventID:] [objectID:] [] Auth driver issue: gw_driver instance has no attribute 'logger'
2016-07-29 14:16:13.969 ERROR [DeviceInterfaceMonitor_Thread] [DeviceInterface:209] [userID:] [eventID:] [objectID:] [Server] Problem with SSL [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

Lenin
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: 14.2 gw connector doesn't start with check sslcert enabled

Ohico,
> 2016-07-29 14:16:13.969 ERROR [DeviceInterfaceMonitor_Thread]
> [DeviceInterface:209] [userID:] [eventID:] [objectID:] [Server] Problem
> with SSL [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL
> routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]


That would point towards the certificate being wrong.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
https://www.novell.com/products/enhancement-request.html

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: 14.2 gw connector doesn't start with check sslcert enabl

Thanks AndersG for your Answer, I will check the certificate.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.