Windows GLPI Agent 1.7.1 can't inventory - server HTTPS with Enterprise PKI [Q&A]

[s0p4L1n3]

Documentation & bug reporting acknowledgment

Yes, I read it

Describe your problem

Hello,

I already found the previous discussion that were resolved (PR-142)
But I have this error:

[http client] internal response: 500 can't connect to glpi.enterprise.local:443 (Bad file descriptor), SSL connect attempt failed error::SSL routines:tls_process_server_certificate:certificate verify failed.

I have my ROOT CA cert in Root Cert Store and SUB CA in Sub Cert Store.

GLPI server is behind traefik proxy, the glpi server certificate is bas64 pem with the below format:

-----BEGIN PRIVATE KEY-----
<base64 encoded private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<base64 encoded server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded trusted CA certificate>
-----END CERTIFICATE-----

With openssl s_client -showcerts -connect glpi.enterprise.local:443
I got:

• verify return code: 19 (self signed certificate in certificate chain)
  The glpi agent behavior and error log is similar to this command

With openssl s_client -showcerts -connect glpi.enterprise.local:443 -CAfile C:\Users\test\Documents\ENTERPRISE-CHAIN.cer
ENTERPRISE-CHAIN.cer contain the BASE64 certificates of SUBCA and ROOTCA

• I got no error of verification which should be the optimistic result.

Is there an issue on how I configured my CAs ?
Do I need to set the ca-cert-file regedit key ?

Is it normal that glpi agent can't lookup on Root trust store and intermediate trust store to verify the said error ?

[g-bougard]

Hello @s0p4L1n3,

can you share the output of the following command run from an administrative console and from the glpi-agent installation folder ?

glpi-agent --logger=stderr --debug --debug --tasks=collect --force

This should show if the agent is extracting the CA certificate from the keystore you're expecting. And this should also show some more detailed SSL debug datas.

You can also test the result adding --ca-cert-file=C:\Users\test\Documents\ENTERPRISE-CHAIN.cer.

[s0p4L1n3]

I've tested with two different options:

• With REG no_ssl_check = 1

log_debug_result_1

[debug] target server0: server https://glpi.enterprise.local/front/inventory.php
[debug] Planned tasks for server0: Collect
[debug] Provided by Teclib Edition
[debug] Installer built on Fri Dec 22 15:25:22 2023 UTC
[debug] Built with Strawberry Perl 5.36.0
[debug] Built on github actions windows image for glpi-project/glpi-agent repository
[debug] Running in foreground mode
[info] server0 is not ready yet, but run is forced
[info] target server0: server https://glpi.enterprise.local/front/inventory.php
[debug2] [http client] Not using compression
[info] sending contact request to server0
[debug2] [http client] DEDDD129: sending message:
{
   "action": "contact",
   "deviceid": "WKS-IT-01-2024-03-19-16-54-09",
   "enabled-tasks": [
      "collect"
   ],
   "installed-tasks": [
      "collect",
      "deploy",
      "esx",
      "inventory",
      "netdiscovery",
      "netinventory",
      "remoteinventory"
   ],
   "name": "GLPI-Agent",
   "version": "1.7.1"
}
[info] [http client] SSL Client warning: Peer certificate not verified
[info] [http client] SSL Client info: Cert-Issuer: '/DC=local/DC=enterprise/CN=ENTERPRISE-SUBCA', Cert-Subject: '/CN=GLPI', Version: 'TLSv1_3', Cipher: 'TLS_AES_128_GCM_SHA256'
[info] [http client] SSL server certificate fingerprint: sha256$f**************************************************
[info] [http client] You can set it in conf as 'ssl-fingerprint' and disable 'no-ssl-check' option to trust that server certificate
[debug2] [http client] DEDDD129: received message:
{"message":"collect task not supported","disabled":["collect"],"expiration":"24","status":"ok"}
[debug] server message: collect task not supported
[debug2] [http client] Not using compression
[info] sending prolog request to server0
[debug2] [http client] sending message:
<?xml version="1.0" encoding="UTF-8"?>
<REQUEST>
  <DEVICEID>WKS-IT-01-2024-03-19-16-54-09</DEVICEID>
  <QUERY>PROLOG</QUERY>
  <TOKEN>12345678</TOKEN>
</REQUEST>
[info] [http client] SSL Client warning: Peer certificate not verified
[info] [http client] SSL Client info: Cert-Issuer: '/DC=local/DC=enterprise/CN=ENTERPRISE-SUBCA', Cert-Subject: '/CN=GLPI', Version: 'TLSv1_3', Cipher: 'TLS_AES_128_GCM_SHA256'
[info] [http client] SSL server certificate fingerprint: sha256$f*********************************************************
[info] [http client] You can set it in conf as 'ssl-fingerprint' and disable 'no-ssl-check' option to trust that server certificate
[debug2] [http client] receiving message:
<?xml version="1.0"?>
<REPLY><PROLOG_FREQ>24</PROLOG_FREQ><RESPONSE>SEND</RESPONSE></REPLY>

• With REG no_ssl_check = 0

log_debug_result_1

[debug] Logger backend Stderr initialized
[debug] Logger backend File initialized
[debug] GLPI Agent (1.7.1)
[debug] Configuration directory: C:/Program Files/GLPI-Agent/etc
[debug] Data directory: C:/Program Files/GLPI-Agent/share
[debug] Storage directory: C:\Program Files\GLPI-Agent\var
[debug] Lib directory: C:/Program Files/GLPI-Agent/perl/agent
[debug] [target server0] Next server contact planned for Thu Mar 21 12:24:50 2024
[debug2] getAvailableTasks() : add of task Collect version 2.9
[debug2] getAvailableTasks() : add of task Deploy version 3.0
[debug2] getAvailableTasks() : add of task ESX version 2.10
[debug2] getAvailableTasks() : add of task Inventory version 1.15
[debug2] getAvailableTasks() : add of task NetDiscovery version 6.1
[debug2] getAvailableTasks() : add of task NetInventory version 6.1
[debug2] getAvailableTasks() : add of task RemoteInventory version 1.4
[debug2] Preparing execution plan
[debug] Available tasks:
[debug] - Collect: 2.9
[debug] - Deploy: 3.0
[debug] - ESX: 2.10
[debug] - Inventory: 1.15
[debug] - NetDiscovery: 6.1
[debug] - NetInventory: 6.1
[debug] - RemoteInventory: 1.4
[debug] target server0: server https://enterprise.local/front/inventory.php
[debug] Planned tasks for server0: Collect
[debug] Provided by Teclib Edition
[debug] Installer built on Fri Dec 22 15:25:22 2023 UTC
[debug] Built with Strawberry Perl 5.36.0
[debug] Built on github actions windows image for glpi-project/glpi-agent repository
[debug] Running in foreground mode
[info] server0 is not ready yet, but run is forced
[info] target server0: server https://enterprise.local/front/inventory.php
[debug2] [http client] Not using compression
[info] sending contact request to server0
[debug2] [http client] E1DF5630: sending message:
{
   "action": "contact",
   "deviceid": "WKS-IT-01-2024-03-19-16-54-09",
   "enabled-tasks": [
      "collect"
   ],
   "installed-tasks": [
      "collect",
      "deploy",
      "esx",
      "inventory",
      "netdiscovery",
      "netinventory",
      "remoteinventory"
   ],
   "name": "GLPI-Agent",
   "version": "1.7.1"
}
[debug] [http client] Updating keystore known certificates
[debug2] Changing to 'C:/Program Files/GLPI-Agent/var/keystore-export-nVIsZb' temporary folder
[debug2] executing certutil -Silent -Split -Store CA
[debug2] executing certutil -Silent -Split -Store Root
[debug2] executing certutil -Silent -Split -Enterprise -Store CA
[debug2] executing certutil -Silent -Split -Enterprise -Store Root
[debug2] executing certutil -Silent -Split -GroupPolicy -Store CA
[debug2] executing certutil -Silent -Split -GroupPolicy -Store Root
[debug2] executing certutil -Silent -Split -User -Store CA
[debug2] executing certutil -Silent -Split -User -Store Root
[debug2] executing certutil -encode 0119***********************************8.crt temp.cer
[debug2] executing certutil -encode 03cd***********************************0.crt temp.cer
[debug2] executing certutil -encode 06f1***********************************2.crt temp.cer
[debug2] executing certutil -encode 109f***********************************c.crt temp.cer
[debug2] executing certutil -encode 18f7***********************************5.crt temp.cer
[debug2] executing certutil -encode 245c***********************************5.crt temp.cer
[debug2] executing certutil -encode 31f9***********************************4.crt temp.cer
[debug2] executing certutil -encode 3b1e***********************************5.crt temp.cer
[debug2] executing certutil -encode 727c***********************************d.crt temp.cer
[debug2] executing certutil -encode 7f88***********************************7.crt temp.cer
[debug2] executing certutil -encode 8f43***********************************e.crt temp.cer
[debug2] executing certutil -encode 92b4***********************************5.crt temp.cer
[debug2] executing certutil -encode a434***********************************9.crt temp.cer
[debug2] executing certutil -encode be36***********************************6.crt temp.cer
[debug2] executing certutil -encode cdd4***********************************2.crt temp.cer
[debug2] executing certutil -encode d559***********************************8.crt temp.cer
[debug2] executing certutil -encode fee4***********************************4.crt temp.cer
[debug2] Changing back to 'C:/Program Files/GLPI-Agent' folder
DEBUG: .../IO/Socket/SSL.pm:3020: new ctx 77677332
DEBUG: .../IO/Socket/SSL.pm:705: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:707: socket connected
DEBUG: .../IO/Socket/SSL.pm:730: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:774: using SNI with hostname enterprise.local
DEBUG: .../IO/Socket/SSL.pm:815: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:831: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:845: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS handshake, Client hello (1)
DEBUG: .../IO/Socket/SSL.pm:848: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:858: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:868: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:888: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:845: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Server hello (2)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Certificate (11)
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [1] /CN=ENTERPRISE-ROOTCA/DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [0] /DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA/CN=GLPI
DEBUG: .../IO/Socket/SSL.pm:1840: scheme=www cert=76589642
DEBUG: .../IO/Socket/SSL.pm:1850: identity=enterprise.local cn=GLPI alt=2 enterprise.local 2 glpi
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, CERT verify (15)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:2911: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:848: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:903: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4)
[debug2] [http client] E1DF5630: received message:
{"message":"collect task not supported","disabled":["collect"],"expiration":"24","status":"ok"}
[debug] server message: collect task not supported
[debug2] [http client] Not using compression
DEBUG: .../IO/Socket/SSL.pm:3069: free ctx 77677332 open=77677332
DEBUG: .../IO/Socket/SSL.pm:3073: free ctx 77677332 callback
DEBUG: .../IO/Socket/SSL.pm:3080: OK free ctx 77677332
[info] sending prolog request to server0
[debug2] [http client] sending message:
<?xml version="1.0" encoding="UTF-8"?>
<REQUEST>
  <DEVICEID>WKS-IT-01-2024-03-19-16-54-09</DEVICEID>
  <QUERY>PROLOG</QUERY>
  <TOKEN>12345678</TOKEN>
</REQUEST>
DEBUG: .../IO/Socket/SSL.pm:3020: new ctx 98766554
DEBUG: .../IO/Socket/SSL.pm:705: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:707: socket connected
DEBUG: .../IO/Socket/SSL.pm:730: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:774: using SNI with hostname enterprise.local
DEBUG: .../IO/Socket/SSL.pm:815: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:831: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:845: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS handshake, Client hello (1)
DEBUG: .../IO/Socket/SSL.pm:848: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:858: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:868: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:888: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:845: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Server hello (2)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Certificate (11)
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [1] /CN=ENTERPRISE-ROOTCA/DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [0] /DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA/CN=GLPI
DEBUG: .../IO/Socket/SSL.pm:1840: scheme=www cert=88300405
DEBUG: .../IO/Socket/SSL.pm:1850: identity=enterprise.local cn=GLPI alt=2 enterprise.local 2 glpi
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, CERT verify (15)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:2911: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1)
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (OUT), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:848: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:903: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:3700: * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4)
[debug2] [http client] receiving message:
<?xml version="1.0"?>
<REPLY><PROLOG_FREQ>24</PROLOG_FREQ><RESPONSE>SEND</RESPONSE></REPLY>
DEBUG: .../IO/Socket/SSL.pm:3069: free ctx 98766554 open=98766554
DEBUG: .../IO/Socket/SSL.pm:3073: free ctx 98766554 callback
DEBUG: .../IO/Socket/SSL.pm:3080: OK free ctx 98766554

I understand the logs when no_ssl_check = 1, but I applied this parameter when I had no PKI on the network, but now I have Enterprise PKI, using this setting is normally not needed.

Adding ca-cert-file REG key (along with no-ssl-check = 0) still gives error but another error message:

|http client] communication error: 400 Bad Request, Protocol not supported

[g-bougard]

Indeed I don't see any error regarding SSL: it just works with the certificate in found in keystore as the following line are telling when no-ssl-check=0 :

DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [1] /CN=ENTERPRISE-ROOTCA/DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [0] /DC=local/DC=ENTERPRISE/CN=ENTERPRISE-SUBCA/CN=GLPI

The 400 Bad Request error is normal as the agent is requesting an url for Collect task which can only be handled by GlpiInventory plugin and if you had changed the server url to the expected one. Requesting only Collect task here is just for the test, to limit the output to only what's really needed, i.e. the SSL debugging output.

So to me, everything seems good. Have you changed the configuration and forgot to restart the service when you saw the problem ? In your tests before, you used glpi.enterprise.local host and here you seem to have configured just enterprise.local in the url. This is maybe a source of confusion.

As far as the agent logs a response from the server, this means your SSL configuration is correct.

[s0p4L1n3]

Silly me, I just forgot to restart the service as you said...
Event without the ca-cert-file REG key it works, so I don't have to deploy the cert-chain-bundle on each workstations to make it work.
And about the host url, it's probably because I've written manually the logs without the possibility to copy/paste as I'm working on physical isolated network.

A force de vouloir chercher le problème au plus spécifique, on oublie parfois de réaliser les tests les plus basiques, c'est pas la première fois que ça m'arrive d'ailleurs.

Merci pour votre aide et réactivité.