[icinga-users] API TLS error which was fixed in previous version

Michael Friedrich Michael.Friedrich at netways.de
Fri Nov 20 17:34:56 CET 2015


> On 20 Nov 2015, at 15:07, NOC <noc at babylon.network> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> When calling the API of Icinga 2.4 on CentOS 6.7 with the command
> (curl -k -s -u root:icinga 'https://localhost:5665/v1') I get the
> following error in icinga2.log:
>
> [2015-11-20 15:03:38 +0100] warning/TlsStream: OpenSSL error:
> error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
> certificate
>
> This error seems to match with a reported (and already fixed) error
> which should be fixed in v2.4: https://dev.icinga.org/issues/9947
>
> Does anyone have any idea what might be the problem?

This happens with SSL certificates created in older versions of Icinga 2. I’m not sure if I may explain that correctly, but I’ll try.

In the past there was an issue with setting the ssl version support correctly using the pki cli commands (node wizard/setup is using them as well). There was an update with the NSS library used in curl which now rejects all certificates not properly setting the version and so does your curl command fail. That happens in a similar fashion when using a browser, we did see that yesterday during the OSMC hackathon as well. The workaround fix is to recreate the certificates using the current Icinga 2 cli tools, though this might affect the cluster setup if not done properly - backup existing certificates.

It would certainly help to see the ssl certificate in ascii text, as my colleague requested in an answer. Like this

# openssl x509 -in mbmif.int.netways.de.crt -text

Extract the header and post it.

Kind regards,
Michael

>
> - --
> Tim Semeijn
> Babylon Network
>
> PGP: 0x2A540FA5 / 3DF3 13FA 4B60 E48A E755 9663 B187 0310 2A54 0FA5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCgAGBQJWTykEAAoJELGHAxAqVA+lhRwP/1txeLFLPYIEsLWh5XZZTirn
> gMw2EbPX+a/aXOvDToBlPh86TEE/CrnI6CiLzB9+RA11JegavEv4sZDjTWRLPr1I
> WAJKa4rwo6GQPvzYY35AhshPdPJeg6W1/Ca2fZ5qS2AprYMB1npV6VBUsgLuZXb7
> AtToPpd2TY9yz3SG1jHchVvyzPi9xIHwbsuE2rIJwY8TAD7D9K5tgPZbaBmt2cUS
> likfE4Tk6oHknllmETck9XZ+95Kc8jaqwKUvfqP1Ro/UbXeA05JvjWULgxwqt0ZM
> bQ6HF8Q3C6tloAHPDhGkPd/U3P5G044J1+9XcvviiAtEIZPbXOTnz7Vy7bKRpaOQ
> Oxf6v7RerB61MYXuxMtws5+/lhbpk05+iLFo9XPlllAmPJmshpHZgTtvKiU5bB+4
> WqcavLyaUy3BmRhrZ5EQ6+LMqGM/29mtdoosnBRK1xNq2Nx01nLvL0y8sO4cGzrp
> 5zh+mWqyFmdcR+Yf3i9mPhcWT3X9ku0wuwlwxknKLAITbbZgNWEh+HXZ1nwZyFFI
> /RfiYxK+PL8FKATP1qMH9a4EqUImunGW8pk+ou1k2BCo3JX2izMFy/7g0hnpnQnM
> dnqbfNAoCMtLxlYxXk+DeFqaB5LGO81QY3u5tWZMNQSDeyDM+RsG20lqcHRkf5Vi
> vHn1C5T4PfABB8V7QQKC
> =tMnb
> -----END PGP SIGNATURE-----
> _______________________________________________
> icinga-users mailing list
> icinga-users at lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users


-- 
Michael Friedrich, DI (FH)
Senior Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | Michael.Friedrich at netways.de

** OSMC 2015 - November - netways.de/osmc **
** OSDC 2016 - April – netways.de/osdc **


More information about the icinga-users mailing list